I'm being hacked!

Rusty Carruth rustyc@descomp.com
Thu, 8 Mar 2001 15:09:26 -0700 (MST) 

Correction - you've BEEN cracked.  Now its time to clean up the mess.

> 
> Rick Rosinski wrote:
> [snip]
> > The point to all of this is:  I want to find out how to stop this from 
> > happening.  I have a few ideas of my own, and I have lots of questions.
> > 
> > Besides setting up a firewall, what other security measures should I consider 
> > implementing?
> > 
> > What will it take to keep this guy out of my system?  What is he capable of 
> > doing besides knowing my command history in my term windows.  Would it be 
> > effective if I set up a user for myself (I am always root) to keep him out?  
> > I am not on a LAN, just ppp to inficad, and I don't know if being root is 
> > dangerous or not.
>  
> You should consider your system completely compromised!  At this
> point, the cracker could very easily have total access to every part

If the guys are half as good as they claim to be, or if they are
using a rootkit, then the cracker(s) DO have total access to
every part of your system.

> of your system.  In your case, you MUST do a clean reinstall.  Backup
> your important data then nuke your harddrive and start from scratch.
> This is *necessary* since your cracker could have put in any number of
> back-doors or trojans that will circumvent anything you do!

The only thing I might add - if these were 'bad guys' that you wanted
to prosecute then you'd take a sightly different approach.  Otherwise,
backup  your critical info, turn off that computer, get a CLEAN linux 
install CD, turn off your modem, power up and boot off the CD (or
make a clean install floppy), and re-install from scratch. DO NOT
use ANY PART of your previous system.  DO NOT restore directories
blindly from that compromised system...

Oh - yeah - don't run as root as your normal user.

ALso - DO NOT HAVE '.' in your $path!  Or, if you do, make CERTAIN
its last!

> That done, you'll need to beef up the security on your box.  This is
> one area where most Linux distributions really fall short... the
> default install on all general distros are *way* too permiscuous.
> 
> Unfortunately, the topic of security isn't an easy one.  If you RTFM,
> you'll see that the FMs are very long and very complex.  They assume
> usually that you are a dedicated sysadmin.  Very few HOWTOs deal with
> a "normal" home user.

I've seen a good one somewhere.  The short version is - turn off
anything you do not absolutely know you must have.  (The best thing
is to set up a true firewall in front of all your other machines -
great use for that 'useless' 486 gathering dust.  Don't have a useless
486 gaterhing dust? email me ;-)

> That said, I recommend that you check out www.linuxsecurity.org.  They
> have a number of HOWTOs there that can help.
> 
> In the meantime, though, I recommend doing at least the following:
> ...
> 2) Setup a packet filter (firewall) that denys *all* incoming packets.
> 3) Shutdown all non-essential services.  Since you are on a dial-up,
> 4) Pick a very good password for Root and preferably change it every
> 5) Rarely login as Root.  Create any number of normal users and do
> 6) Always keep up to date with your distro's update patches

all good suggestions...

(A truly paranoid person would disallow root logins on anything but the
'console' as well....)

again, I'd add 
7) use a firewall machine with NAT in front of everything else, even
if its only one other machine! 

Sometime back someone posted a good reference to the psychology
of crackers.  Lets see... nope, sorry, I cannot find it.  Try looking
for 'psychology of cracker' or something like that.  Anyway, this
is good, though:

http://www.enteract.com/~lspitz/papers.html


rc