|
|
Tracking, Tracing, Cleanup
|
|
| Minimum Tracking and Forensics |
- Before Powering down your hacked server
- Save a copy of the current state of the hacked disk
- tar zcvf /mnt/safe_place/hacked_version.tgz /hacked_disk/{bin,sbin,boot,root,dev,lib,etc,usr,var,tmp...}
- tar zcvf /mnt/safe_place/home_data.tgz /hacked_disk/home ..
- Save the info in your kernel's memory
- tar zcvf /mnt/safe_place/proc.tgz /proc
- After Powering down your hacked server
- lots of critical information is lost
- temporary data in swap, kernel memory and tmp space is lost
- connections to the hackers sites will be lost
- re-attempts to connect from the [cr/h]acker will be lost
- Perform Forensics from a standalone cdrom
- Boot linux from a live boot cdrom and mount the "hacked disk"
- Re-Install on a NEW disk
- Install a new distro from CDROMs only
- use a brand new disks because
- its cheap and the new disks will probably have more disk capacity now
- your backups MIGHT not have all the user data you need
- you may or may not be able to identify all the things the hacker did to your disk
- the linux distro of your choice might have the old bugs and vulnerabilities fixed
- Apply all upgrades and patches for your distro
- Audit your server more carefully and more throughly
- Save a copy of the system BEFORE you go back online
- It's tricky business to identify and remove all binaries/backdoors/directories/files installed by the hacker
- Use commands from a standalone live cdrom
- Get your users back online with their "data" from backups
- Verify that the user did NOT open a door for the hackers to come in
- Restore USER data from backup
- Do NOT restore binaries from backup
- Now that you got the users back online, poke around on the hacked disks
- You need to see how they got in
- You need to see what they changed
- You need to know what ip# they came from
- You need to know if they sniffed your network for passwds and other corp data
- Change the way you do things... to prevent the "next time"
|
| PostMortems |
|
| Tracking and Tracing Tools |
- To Find out what has changed on your "hacked system"
- Your IDS will tell you what was changed
- You can run "find" ( assuming it is a clean version and clean libraries )
- Look for files that was changed in the last 3 days
( use -7 if you want to check the last 7 days )
- find / -mtime -3 -ls | grep -v /proc
- your should be able to explain every directory and file that is listed
- Binaries tend to be replaced ... you need to find a "clean version" ( bootable cdrom )
nslookup
dig
fuser -muvn port#
netstat -napv
lsof
lsof
ps, top, find
ifconfig, route, ping, traceroute
last, who, w
login, passwd, bash, perl, sum, md5
tar, rpm, make, gcc
mail, elm, pine, sendmail
SynScan.nss.nu ARP Ping
habets.pp.se/synscan ARP Ping
they change/modify various libraries too
|
| Forensics |
|
| Evidence |
Cornel.edu FRE - Federal Rules of Evidence
CyberCrime.gov
FBI.gov A Three-Level Hierarchical Model for Developing Guidelines for Computer Forensic Evidence
FBI.gov Recovering and Examining Computer Forensic Evidence
NCFS.org Proposed Standards for the Exchange of Digital Evidence
NCFS.org
|
|
|