[ale] Comprimised System

[David Muse]

I've been hacked a couple of times and here's what I always did...

Start by booting to the installation disk in rescue mode, mount your
root partition and re-install RPM using the following rpm command:

(You may have to use mkdev to make device nodes for your primary hard
drive and it's partitions and mkdir to make a mount point before you
mount it. I don't remember if you do or not for Redhat 7.x.)

rpm -i --force --root /mnt/myrootpartition rpm-x.x-x.rpm

Substitute /mnt/myrootpartition with the mount point of your root
partition and substitute rpm-x.x-x.rpm with the actual name of the rpm
packages.  Do this for all of the rpm packages.  This will ensure that
you have an unhacked version of rpm on your system.

This assumes that rpm hasn't been upgraded since you first installed the
system.  If it has, you'll have to get a hold of the new rpm's, put them
on a floppy or a second CD, mount it somehow and install from there. 
This can be tricky, another option is to copy the install CD to the hard
drive on a different computer, replace the rpm RPM's and then burn a new
install CD.

Whatever you do, don't just re-install rpm using the normally booted
system, you can't trust the version of rpm that's on there, it may
detect that you're trying to re-install rpm and preserve itself.

Once you have a clean rpm installation, reboot and run:
	rpm --verify --all

It will report any file that has been modified from it's distributed
form.  Some of those, of course will be config files, but you may find
that system utilities(like ps, ls, du, df, netstat, etc) have been
modified. You can restore them by getting the original RPM and
installing it using rpm-i --force.

Once you have restored your system tools, you can trust their output. 
You know, for example that ps will report all processes and not hide
any.

Then you can use the system tools like ps, du, netstat, lsof, etc. to
look for renegade processes.

Unfortunately you'll have to examine all of the config files that have
been modified too.  You might find new cron's that are set up to run
periodically, new xinetd programs, etc.

You'll also have to compare any custom software to backups to make sure
none of it was compromised.  diff --unified --recursive can help here.

If you know the system well (ie. if you configured all of the programs
that run on it) then you should be able to figure out what all has been
cracked pretty quickly.  If not, then you'll have a lot of fun digging
around.  Sorry, I wish it was easier.

As for prevention, there are several useful intrusion detection tools. 
Tripwire is pretty commonly used.  If you have a large network,
contract security specialists can be really helpful.

Dave Muse
david.muse at firstworks.com

On Tue, 11 Jan 2005 11:45:06 -0500
Nick Travis <wormfishin at gmail.com> wrote:

> We have a system at work that has been comprimised.  It looks like
> they got in and used several different executable files, I've got the
> command history however I don't think it is complete.  For example I
> see that direcotories were created, but I never saw that they were
> removed and I can't find them.  It looks like about 5 ftp sites were
> hit and there was about 3 wget commands to pull down files.  Also
> apache was downloaded and installed, even though it was already
> running on the system.  So here's my question, I know that rebuilding
> the system is the only way to be sure that there is nothing else
> hidden on it, but that's not an option at this point.  Are there any
> good HowTo's or books out there that can give me some direction on how
> to check they system for irregularites?  This is the first time I've
> dealt with this so I would like to learn as much as I can about it,
> I've already determined how they got in.  A user made thier password
> the same as thier login name, which obviously is no longer allowed. 
> BTW the system is running Red Hat 7.3.
> 
> Nick
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>