01 What if your Unix Machines are Compromised by an Intruder p1
Description
This article is from the Unix compromise FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
01 What if your Unix Machines are Compromised by an Intruder p1
This FAQ deals with some suggestions for securing your Unix machine after it
has already been compromised. Even if your machines have not been
compromised, there are many helpful tips on securing a machine in this
paper.
1. Try to trace/follow the intruder back to his origin via looking at
1. who
2. w
3. last
4. lastcomm
5. netstat
6. snmpnetstat
7. router information.
8. /var/adm/messages (many crackers send e-mail to their "home"
accounts)
9. syslog (sends logs to other hosts as well)
10. wrapper logs
11. do a 'finger' to all local users(and check where they last logged
in from)
12. history files from shells, such as .history, .rchist, and similiar
files.
Footnote: 'who', 'w', 'last', and 'lastcomm' are commands that rely on
/var/adm/pacct, /usr/adm/wtmp, and /etc/utmp to report the information
to you. Most backdoors will keep the intruder from being shown in these
logs. Even if the intruder has not installed any backdoors yet, it is
trivial to remove any detection in these logs. But they may just forget
about one or two of them. Especially if you have some additional,
non-standard ones.
Suggestion: Install xinetd or tcp_wrapper that will log all connections
to your machine to see if someone is knocking on its doors. Forward
syslogs to another machine so intruder will not easily detect the logs
and modify. Other possibilities: netlog from
net.tamu.edu:/pub/security.
It might be wise to monitor the intruder via some ethernet sniffer to
see how he is exploiting his systems before taking corrective measures.
2. Close the machine from outside access. Remove from network to stop
further access via intruder. If the intruder finds out that the
administrator is unto him, he may try to hide his tracks by rm -rf /.
Continue to:
My Books
