[Plug-security] Once cracked
Craig White
plug-security@lists.PLUG.phoenix.az.us
Sun, 09 Sep 2001 11:41:02 -0700
Carl Parrish wrote:
>
> Okay I have reason to belive I've been cracked I'm going to completly
> wipe the drive. it this was you would you bother to make a backup copy
> of your home dir or would you assume its be comprimised as well?
>
> Carl P.
>
----
I definitely agree with Steve about figuring out where/why/how you were
'cracked' to prevent it from happening again. In my case, it was from
running bind and not protecting port 53 with packet filters on the
exposed interface - thus I studied ipchains long and hard and adopted
(and modified for my purposes) Trinity OS. The other most common entry
for crackers are ftp (anon or wu-ftpd) and telnet (it really is time to
retire that insecure puppy and make sure that port 23 is blocked on the
external interface).
Most crackers don't even bother covering their tracks on a system that
is of little interest to them - thus you should see their logins via the
'last' command and possibly in /var/log/secure or /var/log/messages
(your distro may vary).
Assuming that you didn't use tripwire, on a system that uses rpm
(Mandrake - RedHat) - you can try rpm -Va which should list all files
that have changed from the compare with actual files to the rpm database
and it should really only list conf files. If binary files such as ls,
ps and the like have been changed - either your rpm database is severely
out of date (highly unlikely) or you have a rootkit installed and it
would be time to flush the system. For example, I am not at all
concerned with the fact that /etc/sendmail.cf has changed since I have
updated the file by running the m4 program against my
/etc/mail/sendmail.mc, but finding /bin/ls changed would cause me to
panic.
You can chmod 666 /home/* -R to remove the executable property from
everything in the /home directory but if the 'cracker' gains access
again, they obviously have root access and can change anything.
Craig