• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

What do I do if I've been rooted - hacked - compromised?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Sat Aug 17, 2002 2:13 am    Post subject: What do I do if I've been rooted - hacked - compromised? Reply with quote

Check your machine with http://www.chkrootkit.org/ IF it doesn't show up anything this doesn't mean you are clean, if you suspect it follow the below:

Afterwards, to secure your machine, read:

http://www.security-forums.com/forum/viewtopic.php?t=925

Courtesy of a newsgroup post:

Gene <gene@eracc.hypermart.net>

Your Linux, UNIX, etc. box has been cracked. What now?

1. Disconnect the infected system NOW! Don't wait.

2. Get *all* patches for your OS version a.s.a.p. (Now! Today!)

3. Save the patches to another system / drive / CDR / etc.

4. BACKUP ANY DATA YOU NEED TO KEEP.

4a. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Do not include any binary programs in your backup as these
may have been compromised. You should re-install binary
programs and libraries from their original medium.

5. Wipe the OS partition / drive clean.
(You are unlikely to be able to clean up a compromised system by
hand. So, grit your teeth and reformat that sucker.)

5a. (Suggested by Andreas Braeutigam <abrae@freenet.de> 02-26-02)
(This is *not* an exact quote but is a paraphrase)
Reformat may give the wrong impression that a time consuming
format of the entire drive is needed. Rather than reformat
the entire drive wipe out the MBR, partition boot sectors
root partition and any other partition containing executable
files that may be compromised.

6. Reinstall the OS + apps and restore data to the clean partition /
drive.

6a. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
Then, scan all of the files which you saved for suid
programs:

find / -perm +6000 -ls

6b. (Suggested by Bill Unruh <unruh@physics.ubc.ca> 12-21-2001)
Make sure that each of those files which are reported
should actually be suid or sgid.
If they are system files, check them with:

rpm -Vf /name/of/file

If they are in your or others home directories, they almost
certainly should not be suid, especially not suid root.
For example a file in /tmp, or in /usr/share/man should
never be suid root.

6c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
When you restore your backup, check all system configuration
files that are restored for any cracks that may have already
been incorporated into these files.

6d. (Suggested by Bill Staehle <withheld on req.> 01-07-2002)

find / \( -nouser -o -nogroup \) -exec ls -lad {} \;

and if anything turns up, determine _why_ the user and/or
group is not in /etc/passwd and/or /etc/group. Who _really_
owns those files/directories? What are they?

7. WHILE OFFLINE install all the patches.

8. Create your own, unique hidden directory and 'cp' files to it
that are essential to system maintenance like 'ls', 'netstat',
'route', 'ifconfig', 'ps', etc.
(Should you be cracked again, God forbid, as long as you don't
have a compromised kernel this will allow you to use these copies
to "see" what a cracker may have done.)

8a. (Suggested by Andreas Braeutigam <abrae@freenet.de> 02-26-02)
I'd rather store those copies on a separate system or a
non-writeable medium. [like a CD-R, floppy diskette with
write protect on, etc.]


8b. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Check your final installation to see that all known security
bugs have been addressed. There are various utilities that
you can get to help with this, such as port scanners; etc.

8c. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Install some of the security monitors that exist out there.
I can't give you the names of all of these but there are
monitors like portsentry that constantly scan for connections
to your system, also there are other utilities that
constantly check your system logs and ones that constantly
check the system configuration files for any modifications of
content and/or permissions.

8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[It] would be better if the program files you put into that
hidden directory are statically compiled, and not using the
possibly corrupted dynamic libraries. It also assumes that
the kernel doesn't get messed with. _At this time_ these
concerns are not big, but why not stay ahead?

8e. (Suggested by James Knott <james.knott@rogers.com> 01-02-02)
Mount as much of your filesystem as possible as read only. If
the crackers can't write to a partition, they can't change
it. Rename and hide su etc. [as suggested in 8].

9. Then, and only then, set the box up to get online.

10. (Suggested by Pep <PepMozilla@netscape.net> 12-21-2001)
Finally, design and implement a regular backup procedure,
something you should already have done, so that you can limit
any future problems you might have with your system, whether from
cracking; bad configuration; system failure or simply bad users.

10a. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[For further security] you could have another system sitting
off a separate network, that randomly grabs a file off of
this box, and does a file comparison externally. If that
other system is not accepting ANY connections from ANYWHERE,
it makes a better intrusion detection system.

What if you have only one machine with one OS installed? You still
need to disconnect, backup and reinstall. To get the patches ask a
friend or acquaintance with a secured system to help download the
patches. Or see if your OS vendor offers the current patches on CD.
If so, order it.

For further reference see the comp.os.linux.security FAQ:
http://www.linuxsecurity.com/docs/colsfaq.html

Finally, if all this is too much for you to handle alone consider
hiring an expert to assist you or to do it for you. However, be aware
hiring a consultant that is able to help will probably *not* be
inexpensive. For Linux and UNIX consultants in your area check These:

http://www.pcunix.com/consultants.html
http://wdb1.caldera.com/sdir_web/owa/ptrLocator.search
http://www.redhat.com/products/purchase_options/find_reseller.html

("-" Suggested by Bill Staehle <withheld on req.> 01-07-2002)
-ftp://ftp.cc.gatech.edu/pub/linux
-ftp://ftp.freesoftware.com/pub/linux/sunsite
-ftp://ftp.flash.net/pub/mirrors/metalab.unc.edu/pub/Linux
-ftp://ftp.yggdrasil.com/mirrors/sunsite
-ftp://ibiblio.org/pub/Linux
-
-Those are anonymous FTP servers. Log in as anonymous, with your
-email address as password, and change to the indicated directory.
-Look for the file "MIRRORS" to find a list of other servers that
-may be more accessabhle to you. Then continue down from this
-directory to ./docs/linux-doc-project/linux-consultants-guide/
-and get one of the versions of the Consultants-Guide:
-
-Consultants-Guide.html.tar.gz
-Consultants-Guide.pdf
-Consultants-Guide.ps.gz
-Consultants-Guide.sgml.gz
-Consultants-Guide.txt

Certified or Authorized resellers and/or consultants will be the
ones most likely to be able to assist you. Those well versed in
Linux and/or UNIX are usually capable of handling the "lesser OS's"
as well.

Finally, NEVER use the word "hacking" to describe "cracking" as there
is a significant difference between a "cracker" and a "hacker". See:

http://www.tuxedo.org/~esr/jargon/html/entry/cracker.html
http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html

Most of all Good Luck!


Last edited by ShaolinTiger on Wed Sep 04, 2002 2:08 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
ciel
Just Arrived
Just Arrived


Joined: 30 Apr 2002
Posts: 6
Location: LYON ( FRANCE )

Offline

PostPosted: Sat Aug 17, 2002 9:13 pm    Post subject: Reply with quote

Hello,

I'm neophyte but i believe it is true that a secure box one day may not be a secure box the following day.
I mean that if you're almost certain that you have made all your possible to secure your box ( assuming the "0" risk is reachabe ), keep being vigilant the other days. Security is always developing...

Then, if you think you're compromised, do NOT loose your nerve ! Be relax and examine step by step your system to check if sth is going wrong or not.


If you have any doubt, any answerless question, just ask in these forums and you'll get the help you need ! ( :p )

Ciel

P.S. : Yeah ! I become a newbie ! I am not a "just arrived" anymore ! good, i'm improving myself Smile
Back to top
View user's profile Send private message Send e-mail
Abybaby24
Just Arrived
Just Arrived


Joined: 12 Nov 2002
Posts: 0


Offline

PostPosted: Wed Nov 13, 2002 6:30 am    Post subject: NICE ONE Reply with quote

THIS IS AN AMAZING POST.
THANKX BRO.
I RATE THIS POST AS ONE OF THE BEST IN SFDC.

Smile
GOOD LUC, Exclamation

ABYBABY.
Back to top
View user's profile Send private message
ip9
Just Arrived
Just Arrived


Joined: 02 Feb 2003
Posts: 0


Offline

PostPosted: Sun Feb 02, 2003 10:08 pm    Post subject: Reply with quote

just posted this in the tools section, but is also relevant here: FIRE - Forensics tool kit CD, has many trusted binaries (Windows, Solaris and Linux) you can use to help see whats been done as well as a bootable linux distro that you can run, mount all the partitions as read only and then have a poke around from a safe starting point. http://www.security-forums.com/forum/viewtopic.php?t=3260
Back to top
View user's profile Send private message
lammer
Just Arrived
Just Arrived


Joined: 07 Dec 2003
Posts: 0


Offline

PostPosted: Mon Dec 08, 2003 1:56 pm    Post subject: Reply with quote

ShaolinTiger: Nice post

BUT I can say one thing:

IF YOUR BOX WAS OWNED, THERE IS ONLY ONE WAY
TO RESTORE IT - IT'S TOTAL SYSTEM REINSTALL

BECAUSE:

you can't check HOW your system was backdoored

you can check for lkm' - chrootkit and same shit
you can check for suids - find -perm

but what IF they patched /bin/ls and it checks if getuid() == 0 and sets 4755 on /tmp/.xxxx ??
HUH it means that u dont know which file on the system was
patched, and there is no way to check it!

By the way, changing password would be a good idea,
because they could have been sniffing all the remote
connections (ssh,ftp) to your friend boxes and other servers.

KEEP IT ON YOUR HEAD

IF YOU HAVE BEEN HACKED ONCE - WAIT FOR THEM AGAIN
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Dec 08, 2003 2:07 pm    Post subject: Reply with quote

lammer wrote:

but what IF they patched /bin/ls and it checks if getuid() == 0 and sets 4755 on /tmp/.xxxx ??
HUH it means that u dont know which file on the system was
patched, and there is no way to check it!


Because using a local copy of any system utility would be doltish to say the least. When conducting a forensic analysis of a possibly compromised machine you use ps/ls and so on from a known good medium which is read only such as a CD or write protected floppy disk. Or you mount the drives with something like Knoppix or another forensics distro.

Plus I'm not sure what point you are making as the outline clearly states:

5. Wipe the OS partition / drive clean.

This is always the best solution, but a forensic analysis must be conducted first so the hows and whys can be documented.
Back to top
View user's profile Send private message Visit poster's website
Code_Dark
Just Arrived
Just Arrived


Joined: 03 Nov 2003
Posts: 0
Location: San Diego, CA

Offline

PostPosted: Mon Mar 08, 2004 2:07 am    Post subject: Re: NICE ONE Reply with quote

Abybaby24 wrote:
THIS IS AN AMAZING POST.
THANKX BRO.
I RATE THIS POST AS ONE OF THE BEST IN SFDC.

Smile
GOOD LUC, Exclamation

ABYBABY.


You, sir, are an idiot.


- CD
Back to top
View user's profile Send private message Visit poster's website
s_cristian
Just Arrived
Just Arrived


Joined: 21 May 2004
Posts: 0
Location: Romania

Offline

PostPosted: Tue May 25, 2004 1:10 pm    Post subject: Reply with quote

A great tool like Rootkit Hunter (now a new version-1.0.9) is always welcome.
Back to top
View user's profile Send private message Yahoo Messenger
AK_Dude
Just Arrived
Just Arrived


Joined: 25 Jan 2005
Posts: 0
Location: Somewhere in the cold, frozen north (Anchorage, AK)

Offline

PostPosted: Wed Jan 26, 2005 8:55 pm    Post subject: Re: What do I do if I've been rooted - hacked - compromised? Reply with quote

ShaolinTiger wrote:
8. Create your own, unique hidden directory and 'cp' files to it
that are essential to system maintenance like 'ls', 'netstat',
'route', 'ifconfig', 'ps', etc.
(Should you be cracked again, God forbid, as long as you don't
have a compromised kernel this will allow you to use these copies
to "see" what a cracker may have done.)

8a. (Suggested by Andreas Braeutigam <abrae-at-freenet.de> 02-26-02)
I'd rather store those copies on a separate system or a
non-writeable medium. [like a CD-R, floppy diskette with
write protect on, etc.]

<...snip...>
ShaolinTiger wrote:
8d. (Suggested by Bill Staehle <withheld on req.> 01-01-2002)
[It] would be better if the program files you put into that
hidden directory are statically compiled, and not using the
possibly corrupted dynamic libraries. It also assumes that
the kernel doesn't get messed with. _At this time_ these
concerns are not big, but why not stay ahead?


Another way to achieve the same thing is to make yourself a Knoppix CD (http://www.knopper.net/knoppix/index-en.html) or equivalent *BEFORE* your system is cracked (or on a friend's machine, if you've already been rooted). This will give you a known good, read-only kernel and utilities that you can use to conduct your forensics.

You could also use a copy of the kernel on floppy (you *do* have a bootable floppy, right?), and statically compiled ls, cp, etc. on a USB thumb drive instead--just make sure both the thumb drive and floppy have write protect set!
Back to top
View user's profile Send private message Visit poster's website
blackmagic22
Just Arrived
Just Arrived


Joined: 20 Dec 2002
Posts: 0


Offline

PostPosted: Thu Oct 26, 2006 11:33 am    Post subject: Reply with quote

This could have been said in 1 sentence.


Backup files and reinstall.

Rolling Eyes
Back to top
View user's profile Send private message
AK_Dude
Just Arrived
Just Arrived


Joined: 25 Jan 2005
Posts: 0
Location: Somewhere in the cold, frozen north (Anchorage, AK)

Offline

PostPosted: Thu Oct 26, 2006 7:02 pm    Post subject: sigh... Reply with quote

Yes...if you are certain you've been hacked and just want your system back ASAP.

If you suspect you may have been hacked, but want to:
1) Know for certain, or
2) Find out how the perpetrator got in, or
3) Conduct an investigation to find out who the perpetrator is, or
4) etc.
...then you might want to do like I said above, and boot from a read-only file system with a known-good kernel and known-good shell so you can poke around and do some forensics.

Furthermore, supose you aren't exactly sure when you were hacked? How far back in your backups do you go? There is a trade-off here, because you want to go far enough back to *know* that you've restored a clean system, but the farther back you go, the more likely you are to lose configs, data, etc.

Granted, you said
Quote:
backup your data and restore from backup
but what portion of your current data do you want to restore once you've reinstalled your base system? If the hacker got in, anything on your machine is suspect. Do you want to restore SSH keys? Config files? Your user/password database? Do you *know* that your data, whatever it is, hasn't been tainted? How about custom scripts to manage your system? Have they been compromised?

Each case is different, but personally, I would like to have as much info as possible before I put the machine back in production. And, it's entirely possible that after doing some forensics you will find that you weren't actually hacked, but a normal process that you hadn't been monitoring tripped your alarms, in which case you don't want to take your system down because there is nothing wrong with it. It's happened to me, once Smile
Back to top
View user's profile Send private message Visit poster's website
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Oct 26, 2006 7:16 pm    Post subject: Reply with quote

And secondary to that, which data will you back up?
Back to top
View user's profile Send private message Visit poster's website
blackmagic22
Just Arrived
Just Arrived


Joined: 20 Dec 2002
Posts: 0


Offline

PostPosted: Thu Oct 26, 2006 8:29 pm    Post subject: Reply with quote

It surprises me why people bable on about such a trivial thing making it sound like rocket science.

Common sense would answer every question you just posed.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register