[ale] Compromised System

Jonathan Rickman jrickman at gmail.com
Tue Jan 11 13:29:38 EST 2005


On Tue, 11 Jan 2005 11:46:24 -0500, Nick Travis <wormfishin at gmail.com> wrote:
> We have a system at work that has been compromised.  It looks like
> they got in and used several different executable files, I've got the
> command history however I don't think it is complete.  For example I
> see that directories were created, but I never saw that they were
> removed and I can't find them.  It looks like about 5 ftp sites were
> hit and there was about 3 wget commands to pull down files.  Also
> apache was downloaded and installed, even though it was already
> running on the system.  So here's my question, I know that rebuilding
> the system is the only way to be sure that there is nothing else
> hidden on it, but that's not an option at this point.  Are there any
> good HowTo's or books out there that can give me some direction on how
> to check they system for irregularities?  This is the first time I've
> dealt with this so I would like to learn as much as I can about it,
> I've already determined how they got in.  A user made their password
> the same as their login name, which obviously is no longer allowed.
> BTW the system is running Red Hat 7.3.

I think you have answered your own question there, and I'm sure you
know that already. If an intruder was actually able to execute
commands from a shell on your system, it can't be trusted...period. If
you absolutely have to leave it up, you should at least run chkrootkit
on it along with any sig checks (if you have them). Then it should be
surrounded by packet filters immediately. However, you should take no
feeling of comfort away from this no matter the result. You should
image the system for recovery purposes and wipe it as soon as you
possibly can. Prolonging the inevitable only leads to more problems.

--
Jonathan



More information about the Ale mailing list