These suggestions are for next time, I suspect it is too late to take any of these on board in this particular situation.
On Wed, Apr 06, 2005 at 08:16:14AM +1000, Voytek wrote: > I have a compromised RH73 machine, until such time as I can pull it down, > what can I do to identify and shut down any rogue processes/backdoors ? First thing I would suggest is some network dumping. Consider either ethereal or tcpdump, get an old, dumb hub and drop it into the ethernet connection to that machine, be quick so it doesn't lose connectivity for more than a few seconds. Then put a temporary machine on the same hub, bring up an interface (but give that interface no IP number) and start dumping to hard drive. Don't use a switch! Old 10Meg ethernet hubs are best but you can still get 100Meg hubs if you search. Save those dumps for when you talk to the police (of course you are going to do the right thing and report this) they will find the dumps very useful. Hopefully whoever broke in will make some contact with the broken box and might reveal something about themselves. NB: at this stage you do NOT want to do anything abnormal that might make it clear that you are paying great attention to this machine. The sniffer machine can be completely self contained with no contact to the outside world other than silently sniffing. Don't even think about trying to sniff on the same machine that is broken. > I've removed all the baddies, but, I expect there will be some open ports ? > is there a way to shut them in the interim period till I can get to the > machine ? There is a big problem with leaving a compromised machine active and also removing stuff while it is live. It is a much more dangerous thing than just leaving the compromised machine alone. Whoever has broken your machine has (approximately) the following priorities: [1] Remain undetected [2] Keep the machine active and stable [3] Collect information [4] Use the machine to break other machines Once they know they have been detected the above priorities go out the window and they really only have one thing that matters anymore which is destroying evidence and cleaning up their tracks as much as possible. By poking around and removing this and that you are spelling it out to whoever is on the other end of the line that they should think about filling your partitions with random numbers. So you sort of have to operate in two distinct modes... BEFORE you let them know they have been detected you are trying to watch from the sidelines and make notes... when you decide that enough is enough, then you have to pull the network plug clean, type sync a few times and just turn it off. There's no half-way. After you do turn it off, boot off a CDROM and take a full hard drive image which the police will also find useful. The rootkits are quite often customised and may contain links to websites, other compromised machines and bits of forensic evidence that might make it to court. Some people leave bash history behind, others leave temporary files and all sorts of stuff. They spend all day filtering through this junk putting clues together, often from multiple sites. You are paying for this, might as well keep them busy and get something for your money. By the way, in NSW the investigation of computer related crimes is the job of the fraud squad, see http://www.police.nsw.gov.au/ - Tel ( http://bespoke.homelinux.net/ ) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
