Re: [LIH] could i have been hacked?

Fri, 03 May 2002 02:19:16 -0700 

On 03/05/02 14:04 +0530, Arvind wrote:
> i never opened all these services......... but i see them all with an nmap
> what do i do?
<snip>
Oh, the usual.
Rebuild the machine from scratch.

Steps:
If you want to do forensics(I think its a bit late for that by now), you
will want to make clean backups of your system.
Get another two hard disks (one of them must be of the same size and
make as your current HD), and one machine.
Install a statically linked md5sum binary on the compromised machine.
Install a statically linked known clean netcat on the compromised
machine, and on one of the hard disks (if they are different, the one
that is not the same size), dump a copy of your memory, and proc.
compromised:dd|nc > clean:nc|dd . This HD must be in the second machine

Make the other hard disk clean (dd if=/dev/zero of=/dev/hdb where the
second disk is connected as hdb). 
Ensure that the checksum is zero.
dd the hard disk over to the clean disk. Verify the md5sum of the
original and copy. These must be same. 

Lock, seal and store for forensics.

Rebuilding the compromised box:
        Disconnect the box from the network. 
        Backup your data.
        Partition, format and reinstall. Install only the binaries you
        need. Nothing else. Strip the install down to its minimum.
        Download all patches to a second box.
        Make a network of only these two boxen.
        Patch the system to the full.
        Install tripwire, and generate the signature database.
        Move the database to offline readonly media.
        Setup a firewall.
        Retest for open ports.
        Check all install binaries, make sure that there is nothing that
        you don't want to run installed.
        Remove suid bits from everything that doesn't need it.
        (login and passwd do, ssh doesn't).
        Restore data from backup.
        Connect to the normal network.

Devdas Bhagat

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help

Reply via email to