A couple of comments, based on my professional certification
in the area of computer security (I am a CISSP == Certified
Information Systems Security Professional, cert # 10047).
Some other related links follow my comments.
Your response should be guided by both legal and practical
considerations.
If you are dealing with a corporate system that is hacked, notify
management. They have legal responsibility for the legal issues,
that's what the PHBs get paid big bucks to screw up, so let them
earn their pay. :-) There should be organizational plans and policies
in place, even if you aren't fully aware of them (you should be aware
of some of them, but have no need to know other parts). The
planning and policies should routinely include and address incident
response. Let them activate and follow the plan. NB, if they
don't have those plans and policies in place, management may be
failing in a fiduciary responsibility to their stockholders!
If you are dealing with your personal system, you are the PHB :-)
so decide what you feel you should do. You could choose to
turn the box off, pull the net connector, reload everything from
CDROM and rebuild the environment from known safe start,
and go on living your life ignoring the scum that hacked you, that's
your choice and it's a valid one. You could also take it upon
yourself to investigate and report and try to make the world a
better place by cleaning up the scum. If so, don't expect an
easy road, read The Cuckoo's Egg by Cliff Stohl for an idea
of how your life might be altered (but also consider, he broke
a KGB spy ring in the midst of the Cold War).
Last comment, regarding the SANS link Kenny provided, it
looked good, but a little weak on incident response. The gist
of it was "tell management". The unstated assumption appears
to be that the PHBs have prepared for this eventually. IMHO
don't be surprised if that assumption proves optimistic.
Finally, an offer: if I can help (without impacting my pre-existing
responsibilities) I will be glad to do what I can. Feel free to
contact me privately, there are some suggestions I do not want
to post in a public forum.
--Bruce McCulley, CISSP.
ps - another link is <http://www.isc2.org/> which is the authority
issueing CISSPs. They are oriented more to the practioners than
the public, but do have some helpful links. Among those links are
the Computer Security Institute <http://www.gocsi.com/> and
ISSA, the Information Systems Security Association
<http://www.issa-intl.org/>. BTW, if you find another good
reference for incident response please post a pointer to it, like
Kenny did with the SANS link. THANKS!
"Kenneth E. Lussier" wrote:
> I mostly agree with all of this. There is, however, one *MAJOR* point
> that I disagree with. The point that I disagree with is disabling the
> account. Before I get jumped all over for this, there is a good reason
> for it. By letting him continue to use the system, his activities can be
> tracked. This is extremely important in computer forensics. The first
> thing that should be done is to notify a higher power. The person or
> people that have cracked the system have committed several federal
> crimes, and you have a chance to stop them. Let the intruder play for a
> few days, then pull the network cable on the system. That way you have
> all of the evidence that you need. Don't reinstall the box. Keep it as
> well preserved as possible. That way, when the time comes to put him/her
> away, you have a really big nail for his/her coffin.
>
> If you want an in-depth strategy guide, I suggest the SANS guide to
> incident response @
> http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm .
>
> MNSHO,
> Kenny
>
> Tony Lambiris wrote:
> >
> > First, you disable his account, contact the admins of the other hacked boxes, see
> > if you can trace his ip and find a little info on him (you should at least be able
> > to get what ISP he uses.
> >
> > Now on securing your box. You'd better reinstall, thats all I have to say. Im
> > taking a shot in the dark here, but you were running Red Hat 6.2 w/ wu-ftp(2.6.0)
> > with anonymous access enabled? A few pointers after you get you reinstall.
> >
> > DISABLE EVERYTHING YOU DO NOT NEED. This also means anonymous access to your
> > account. I bet I could find at least 10 things wrong with the way your system was
> > setup (i.e. sendmail, apache, etc...).
> > Put some good firewall rules in. Im not going to go into this, but the book
> > building linux and openbsd firewalls proves invaluable to me.
> >
> > You might also want to think about what kind of intormation your services are
> > giving to people (i.e. a default 404 for apache yields its version number, a
> > default connect to sendmail will tell you its version number.) I know most would
> > call this security through obscurity, but let me tell you it goes a long way.
> >
> > Also, if this was a dedicated server, you might want to consider running OpenBSD.
> >
> > Thomas Charron wrote:
> >
> > > I have an interesting question for everyone. As of friday, my machine was
> > > hacked. Not a problem, I caught it fairly easily. I did do something that
> > > most people probrably do *NOT* do. I fixed the prob that allowed him to get
> > > in, but I'm continuing to allow him to run rampent in the account he isn't
> > > aware that I know exists. His app that is giving him access is currently
> > > running it's merry little but off..
> > >
> > > Basically, he's running a distributed attack daemon, being controlled via an
> > > eggdrop bot, connected to IRC. In the process of looking at the logs, etc, I
> > > now have a fairly *VAST* amount of knowledge regarding this little bugger,
> > > along with other sites he's hacked from, who have the same hole in them. The
> > > question is..
> > >
> > > What can I *DO* with all this data? I've now started to monitor the output
> > > logs from the stupid eggdrop hack, currently running as 'netserver', which is,
> > > or course, currently connected to EFNet. I have tcpsnoop logging all of the
> > > data coming into that application. Technically, right now I could hijack this
> > > twinks network, becouse he's ordering it by using public chat commands. I've
> > > seen them come. He occasionally ftp's into the box to check to ensure the
> > > account is still valid. I'm looking at this $%@#^&$%@&@$%*&.
> > >
> > > Now I know, leaving my box open is dangerouse. But I can wipe this box
> > > without much of an effort. I won't lose anything.
> > >
> > > But damned it, I want this little &$*%#^&#%&&#%^*#%^()&(%^.
> > >
> > > Any suggestions? He currently has hacked at least 24 other machines, running
> > > simular apps, running on the same server. He's using a package available at
> > > http://www.punk.uk.net/botpack1.3.tgz, which looks like a standard IRC bot hack
> > > setup. I intend on informing the other machine administrators that he's
> > > broken, but for now, I'm logging it with all my might.
> > >
> > > Frusteratingly yours..
> > >
> > > One *VERY PO'd* individual..
> > >
> > > ---
> > > Thomas Charron
> > > << Wanted: One decent sig >>
> > > << Preferably litle used >>
> > > << and stored in garage. ?>>
> > >
> > > **********************************************************
> > > To unsubscribe from this list, send mail to
> > > [EMAIL PROTECTED] with the following text in the
> > > *body* (*not* the subject line) of the letter:
> > > unsubscribe gnhlug
> > > **********************************************************
> >
> > **********************************************************
> > To unsubscribe from this list, send mail to
> > [EMAIL PROTECTED] with the following text in the
> > *body* (*not* the subject line) of the letter:
> > unsubscribe gnhlug
> > **********************************************************
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
