[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [[cobalt-users] Server Hacked?]

Subject: Re: [[cobalt-users] Server Hacked?]
From: "Richard E. Perlotto II" <richard@xxxxxxxxxxxx>
Date: Sun Feb 13 13:34:39 2000

Comment in-line, but in general this is not for the weak of heart, nor
for those not willing to spend a lot of time and money to do it 
correctly:

CobaltList wrote:
> 
> Manuel,
> 
> Generally if your server has been compromised you have no way of knowing if
> they have root access and what system files they may have changed.  Also log
> everything you do as you investigate this problem, it might help in the
> future.

If you are planning prosecution, or any legal avenue, you should involve
law enforcement as soon as possible.  The FBI loves to assist in these
types of incidents.  Call the the local office and they will be glad to help
you.  Make paper log of ALL your activities to include the exact time you
have done anything.  Most legal cases can run years, and you will not remember
everything you have done when.

> 
> The first thing I would do is make an exact duplicate of the hard drive for
> legal purposes. Next change my root password on any other systems which have
> the same password as the one you had hacked. Change the root password on the
> hacked system to a totally different one from any others (passwd might have
> been replaced and could give away the store).

If you are planning legal action, then yes make a copy, but you may want
professionals to work on this part for you.  If you cannot stomach $250-$500/hour,
you can try to do the forensic work yourself.  There are some tool kits to
help, but all of them will require an extensive knowledge of Unix.

To make a copy, you will want to make a bit copy to be able to review all
the 'deleted data' off of the disk.  No matter what the 'hacker' attempts
to do, the data will still be on the drive.  But you will need a second
disk, and place the first in read only mode so that you do not damage any
of the information upon it.

At no time DO NOT CHANGE ANYTHING.  As soon as you change the state of the
data, you have invalidated some if not all of it as evidence.

It would be better to take this machine off-line and use another for
business of you are going this route.

> 
> Move all of the clients to a known clean box, changing their passwords to
> strong passwords. If they have any cgi scripts which they have uploaded I
> would also examine them to see what they do. I would deny them telnet access
> unless they really, really, really needed it and could prove it. You can
> debug 99.9% of cgi script problems with ftp and log files so that is not
> proof enough.
> 
> Analyze the system to see what files they changed and what they did while in
> your system.
> 
> See if you can figure out who it is, if so bring legal action against them,
> if you can (not an attorney, so I suggest you talk to one).

If this is the course you wish to take, once again, involve local law 
enforcement as soon as possible, preferably the FBI.

> 
> Take the now useless box and format the hard drive and load the OS from a
> know good source. I have been told that there is a CD available to do this.

Smash and trash is the best answer.

> 
> If the above steps are out of your area of expertise hire someone who knows
> what they are doing.

Most companies just take the system down, reload, and start over.

> 
> Hope this helps.
> 
> Roger
> support@xxxxxxxxxxxxxxxxx
> http://www.active-server.com
> 
> ----- Original Message -----
> From: manitu <manitu@xxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Sunday, February 13, 2000 10:18 AM
> Subject: Re: [[cobalt-users] Server Hacked?]
> 
> > > I would guess it would, but I wouldn't do that and none of my users has
> > > telnet access.
> >
> > I think granting telnet access sparingly could help improving security
> (oh,
> > it rhymes...).
> >
> > Is there a log which I can look at in order to see which of my customers
> > (users) have ever logged in via telnet so that I only give telnet access
> to
> > them who really need it ?
> >
> > Manuel
> >
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-users

begin:vcard 
n:Perlotto;Richard
x-mozilla-html:FALSE
url:http://www.perlotto.com
org:Home
adr:;;;;;;
version:2.1
email;internet:richard@xxxxxxxxxxxx
x-mozilla-cpt:;-1
fn:Richard Perlotto
end:vcard

Follow-Ups:
- Re: [[cobalt-users] Server Hacked?]
  - From: manitu

References:
- RE: [[cobalt-users] Server Hacked?]
  - From: Dan
- Re: [[cobalt-users] Server Hacked?]
  - From: manitu
- Re: [[cobalt-users] Server Hacked?]
  - From: CobaltList

Prev by Date: RE: [[cobalt-users] Server Hacked?]
Next by Date: RE: [cobalt-users] Re: 34 admin users?
Previous by thread: RE: [cobalt-users] Re: 34 admin users?
Next by thread: Re: [[cobalt-users] Server Hacked?]

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index