03 What if your Unix Machines are Compromised by an Intruder p3
Description
This article is from the Unix compromise FAQ, by Christopher Klaus cklaus@iss.net with numerous contributions by others.
03 What if your Unix Machines are Compromised by an Intruder p3
9. Here is a check list of common ways that a machine is vulnerable:
1. Do an rpcinfo -p on your machine to make sure it is not running
any processes that are not needed. (ie. rexd).
2. Check for '+' in /etc/hosts.equiv.
3. Check whether tftp is disabled on your system. If not - disable
it, or at least use '-s' flag to chroot it to some safe area, if
you really can't live without it (it is mostly used for booting up
Xterminals, but sometimes can be avoided by NFS-mounting
appropriate disks). Under no circumstances you should run it as
root. Change the line describing it in /etc/inetd.conf to
something like:
tftp dgram udp wait nobody /usr/etc/in.tftpd in.tftpd -s
/tftpboot
or better yet, use tcpd wrapper program to protect it from
addresses which should not get access to tftp and log all other
connections:
tftp dgram udp wait nobody /usr/etc/tcpd in.tftpd -s
/tftpboot
and edit appropriately /etc/hosts.allow to restrict access to
in.tftpd to only those addresses that really need it.
4. Check crontabs and at-jobs. Make sure there are no delayed bombs
which will explode after you think you have got rid of all the
nasty things left by a intruder.
5. Check /etc/rc.boot /etc/rc.local (SYSV: /etc/rc?.d/* ) and other
files cruicial for the system startup. (The best would be if you
could compare them with the copies kept off-line). Check all other
files containing system configuration (sendmail.cf, sendmail.fc,
hosts.allow, at.allow, at.deny, cron.allow, hosts, hosts.lpd,
etc.) In 'aliases' look for aliases expanding to some unusual
programs (uudecode is one but example).
6. Check your inetd.conf and /etc/services files to find if there are
no additional services set up by an intruder.
7. Copy all the log files you still have (pacct, wtmp, lastlog,
sulog, syslog, authlog, any additional logs you have set up
earlier) to some safe place (offline) so you may examine them
later. Otherwise, do not be surprised if they disappear the next
day when the cracker realises he forgot to remove one of them. Use
your own imagination to find what other traces he could have left
in your system (What about /tmp/* files? Check them BEFORE you
reboot).
8. Make backup copy of /etc/passwd (best offline) then change all
root passwords (after verifying that 'su' and 'passwd' are not the
trojan versions left by an intruder). It may sound like a horrible
thing to do (especially if you have something like 2000 users) but
*do* lock them all by putting '*' in the password field. If the
intruder has a copy of your passwords file he may possibly sooner
or later guess all the passwords contained there (It is all the
matter of proper dictionaries). In fact he could have inserted few
passwords that he only knows for some users who for example have
not logged in for a long time.
On the NIS servers check not only the real /etc/passwd /etc/groups
etc files but also those used for building NIS maps (if they are
different).
9. Check if your anonymous ftp (and other services) are configured
properly (if you have any of course) See the
computer-security/anonymous-ftp FAQ.
10. If you want to make your life easier next time (or if you still
cannot get rid of an intruder) consider installing 'ident' daemon.
Together with tcpd on a set of hosts it can be used to find what
accounts the intruder is using.
11. Make sure the only 'secure' terminal is console (if at all). This
way you prevent root logins just from the net. Maybe it is not a
big deal as if somebody knows the root password he may already
know other peoples' passwords too, but maybe not?
12. Check hosts.equiv, .rhosts, and hosts.lpd for having # as comments
within those files. If an intruder changes his hostname to #, it
will be considered a trusted host and allow him to access your
machines.
13. And remember... There are so many ways that somebody could have
modified your system, that you really have to have your eyes and
ears wide open for a loooooong long time. Above, are the pointers
just to the most obvious things to check.
10. Mail all the sites that you were able to find out that the intruder was
going through and warn them. Also, CC: cert@cert.org. Check all the
sites in your near-by, ie. in your domain/institution/whatever. It's
usually trivial for a hacker to get to another system by a simple
'rlogin' if the two systems have a common subset of users (and using
.rhosts to make the access easier).
11. A preventive from stopping many intruders from even trying your network
is to install a firewall.
Side-effects: Firewalls may be expensive; filtering may slow down the
network. Consider blocking nfs (port 2049/udp) and portmap(111/udp) on
your router. The authentication and access controls of these protocols
is often minimal. Suggestion: Block all udp ports except DNS and NTP
ports. Kill all source routing packets. Kill all ip-forwarding packets.
Continue to:
My Books
