[ale] Compromised System

Bob Toxen transam at verysecurelinux.com
Tue Jan 11 15:13:10 EST 2005 

You don't have to rebuild from scratch to recover a compromised system.
I describe how to do it in Part IV of my book

  "Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
  2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562
  Also available in Japanese, Chinese, and Czech.
  http://www.realworldlinuxsecurity.com

On Tue, Jan 11, 2005 at 01:25:45PM -0500, Jonathan Rickman wrote:
> On Tue, 11 Jan 2005 11:46:24 -0500, Nick Travis <wormfishin at gmail.com> wrote:
> > We have a system at work that has been compromised.  It looks like
> > they got in and used several different executable files, I've got the
> > command history however I don't think it is complete.  For example I
> > see that directories were created, but I never saw that they were
> > removed and I can't find them.  It looks like about 5 ftp sites were
> > hit and there was about 3 wget commands to pull down files.  Also
> > apache was downloaded and installed, even though it was already
> > running on the system.  So here's my question, I know that rebuilding
> > the system is the only way to be sure that there is nothing else
> > hidden on it, but that's not an option at this point.  Are there any
> > good HowTo's or books out there that can give me some direction on how
> > to check they system for irregularities?  This is the first time I've
> > dealt with this so I would like to learn as much as I can about it,
> > I've already determined how they got in.  A user made their password
> > the same as their login name, which obviously is no longer allowed.
> > BTW the system is running Red Hat 7.3.
> 
> I think you have answered your own question there, and I'm sure you
> know that already. If an intruder was actually able to execute
> commands from a shell on your system, it can't be trusted...period. If
> you absolutely have to leave it up, you should at least run chkrootkit
> on it along with any sig checks (if you have them). Then it should be
> surrounded by packet filters immediately. However, you should take no
> feeling of comfort away from this no matter the result. You should
> image the system for recovery purposes and wipe it as soon as you
> possibly can. Prolonging the inevitable only leads to more problems.
> 
> --
> Jonathan

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"

http://www.verysecurelinux.com       [Network & Linux/Unix Security Consulting]
bob at verysecurelinux.com (e-mail)

My recent training and talks on Linux security include:
  at IBM's Linux Competency Center in New York City     on Mar.  06   last year
  at the Atlanta SecureWorld Expo in Atlanta            on May   22   last year
  at the Enterprise Linux Forum in Silicon Valley       on June  04   last year
  at Computer Associates' Atlanta Linux Security Summit on Sep.  16   last year
  in New Jersey                                         on Oct. 27-30 last year
  at Southeast Cybercrime Summit in Atlanta             on Mar.   4   2004
  at the FBI's Atlanta headquarters                     on Mar.  10   2004
  in Denver, CO                                         on Apr. 15-16 2004
  in New Jersey                                         on May. 25-26 2004
  at the Atlanta SecureWorld Expo in Atlanta            on May   27   2004
  in Denver, CO                                         on Jul. 12-13 2004
  at Linux World SF signing at Prentice Hall's booth    on Aug.  03   2004
  in Denver, CO                                         on Sep. 27-28 2004
  in Boston, MA                                         on Oct. 11-14 2004
  at Atlanta Unix Users Group                           on Nov.  01   2004
  in New Jersey                                         on Nov. 15-16 2004

More information about the Ale mailing list