hacked server

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

hacked server

Jon Miller-5
I have a hacked server that has a few rootkits installed.  I'm going to rebuild this using the following procedure:
1) backup data files
2) copy /etc/*.conf
3) either make an image of the system and then blow it away or get new drives.

Have I missed out on anything?


Thanks

Jon L. Miller,  ASE, CNS, CLS, MCNE, CCNA
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au
Resellers for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet, Sophos Anti-Virus, CA Products

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby

TEXT.htm (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hacked server

Alvin Oga


On Sat, 18 Mar 2006, Jon  Miller wrote:

> I have a hacked server that has a few rootkits installed.  I'm going to rebuild this using the following procedure:
> 1) backup data files
> 2) copy /etc/*.conf
> 3) either make an image of the system and then blow it away or get new drives.
>
> Have I missed out on anything?

for the "3" items:
a) if you backup data, do NOT erase previous ( supposedly good and clean )
   backups prior to you noticing the rootkits .. but the actual intruder
   could have been there for months ... so do NOT erase the past two of
   months of "good" backups
 
b) *.conf is not the only items of interests

   most everything of value fits onto floppy, so if your system config
   doesn't fit onto a floppy, you're copying more stuff than you need

c) get a new disk is best ... keep the old disk just in case you forgot
   to copy the all important config file you forgot about

        use apt get to get a list of installed packages if you
        trust its output to rebuild your new box with similar apps

d) and you missed about 997+ other important things to do after being
   cracked and maybe only a dozen or so would be of general interest
        - change your current security to policy to prevent it from
        happening again ...

        - backup data daily onto backup data from 6months ago  vs
        overwritting last weeks data

        - apply patches as needed ( daily, weekly or monthly ) as
        time permits

        - find out who got in,
        - find out when they got in
        - find out how they got in
        - find out why they got in ( their perspective = fun or malicious)
        - find out why they got in ( your perspective = security hole ))

        - find out what OTHER machines they have attacked
        - find out what data they have sniffed ( login/pwd )
        - find out what where they went after getting into your servers

        - report to the local computer crime dept or FBI or equivalent
        if you want to prosectue ... but that'd imply you don't
        touch your server and the lawyers have it offline etc.. etc..

        ... blah blah .. blah ..

e) 975+ other things to do :-)

c ya
alvin


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: hacked server

Tony Godshall
In reply to this post by Jon Miller-5

No not as a mirror.

No not as raid.

Just online/available but not in $PATH, not booted from.
BIOS boots from typically CDROM first, IDE0 primary second.
If your drive is on IDE1 (or SATA1), BIOS shouldn't load
it's boot sector, and Linux shouldn't mount it or run
anything off it unless you tell it to (DON'T).

Heck, to feel safe, if and when you mount it, mount it with
-o noexec, which keeps any binaries from being executed.  Of
course this may be a no-op right now- the manpage says "This
trick fails since Linux 2.4.25 / 2.6.0".

According to Jon  Miller,

> Wouldn't the same rootkits be on the secondary? In a mirror it writes to the primary then writes to the secondary drive.  I plan to keep the drive intact since I may need files from the drive(s).
>
> >>> Tony Godshall <[hidden email]> 3:47:57 pm 18/03/2006 >>>
>
> If it was me, I'd move the drive to secondary and get a new
> drive for primary.  Then you can copy and diff and whatever.
> If you forgot something, no worries, it's mounted over
> there at /olddrive/home/ or /olddrive/etc
>
> According to Jon  Miller,
> > I have a hacked server that has a few rootkits installed.  I'm going to rebuild this using the following procedure:
> > 1) backup data files
> > 2) copy /etc/*.conf
> > 3) either make an image of the system and then blow it away or get new drives.
> >
> > Have I missed out on anything?
> >
> >
> > Thanks
> >
> > Jon L. Miller,  ASE, CNS, CLS, MCNE, CCNA
> > Director/Sr Systems Consultant
> > MMT Networks Pty Ltd
> > http://www.mmtnetworks.com.au
> > Resellers for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet, Sophos Anti-Virus, CA Products
> >
> > "I don't know the key to success, but the key to failure
> >  is trying to please everybody." -Bill Cosby
>
> Content-Description: HTML
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML><HEAD>
> > <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
> > <META content="MSHTML 6.00.2800.1528" name=GENERATOR></HEAD>
> > <BODY style="MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px">
> > <DIV>I have a hacked server that has a few rootkits installed.&nbsp; I'm going
> > to rebuild this using the following procedure:</DIV>
> > <DIV>1) backup data files</DIV>
> > <DIV>2) copy /etc/*.conf</DIV>
> > <DIV>3) either make an image of the system and then blow it away or get new
> > drives.</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>Have I missed out on anything?</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>Thanks</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>Jon L. Miller,&nbsp; ASE, CNS, CLS, MCNE, CCNA<BR>Director/Sr Systems
> > Consultant<BR>MMT Networks Pty Ltd<BR><A
> > href="http://www.mmtnetworks.com.au">http://www.mmtnetworks.com.au</A><BR>Resellers
> > for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet, Sophos
> > Anti-Virus, CA Products</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>"I don't know the key to success, but the key to failure<BR>&nbsp;is trying
> > to please everybody." -Bill Cosby</DIV>
> > <DIV>&nbsp;</DIV>
> > <DIV>&nbsp;</DIV></BODY></HTML>
>
>
> --
>
> Best Regards,
>
> Tony

Content-Description: HTML

>
>    Wouldn't the same rootkits be on the secondary? In a mirror it writes
>    to the primary then writes to the secondary drive.  I plan to keep the
>    drive intact since I may need files from the drive(s).
>    >>> Tony Godshall <[hidden email]> 3:47:57 pm 18/03/2006 >>>
>    If it was me, I'd move the drive to secondary and get a new
>    drive for primary.  Then you can copy and diff and whatever.
>    If you forgot something, no worries, it's mounted over
>    there at /olddrive/home/ or /olddrive/etc
>    According to Jon  Miller,
>    > I have a hacked server that has a few rootkits installed.  I'm going
>    to rebuild this using the following procedure:
>    > 1) backup data files
>    > 2) copy /etc/*.conf
>    > 3) either make an image of the system and then blow it away or get
>    new drives.
>    >
>    > Have I missed out on anything?
>    >
>    >
>    > Thanks
>    >
>    > Jon L. Miller,  ASE, CNS, CLS, MCNE, CCNA
>    > Director/Sr Systems Consultant
>    > MMT Networks Pty Ltd
>    > [1]http://www.mmtnetworks.com.au
>    > Resellers for: Novell Gold Partner, Cisco Partner, Peopletelecom,
>    Westnet, Sophos Anti-Virus, CA Products
>    >
>    > "I don't know the key to success, but the key to failure
>    >  is trying to please everybody." -Bill Cosby
>    Content-Description: HTML
>    > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
>    > <HTML><HEAD>
>    > <META http-equiv=Content-Type content="text/html;
>    charset=iso-8859-1">
>    > <META content="MSHTML 6.00.2800.1528" name=GENERATOR></HEAD>
>    > <BODY style="MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px">
>    > <DIV>I have a hacked server that has a few rootkits installed.&nbsp;
>    I'm going
>    > to rebuild this using the following procedure:</DIV>
>    > <DIV>1) backup data files</DIV>
>    > <DIV>2) copy /etc/*.conf</DIV>
>    > <DIV>3) either make an image of the system and then blow it away or
>    get new
>    > drives.</DIV>
>    > <DIV>&nbsp;</DIV>
>    > <DIV>Have I missed out on anything?</DIV>
>    > <DIV>&nbsp;</DIV>
>    > <DIV>&nbsp;</DIV>
>    > <DIV>Thanks</DIV>
>    > <DIV>&nbsp;</DIV>
>    > <DIV>Jon L. Miller,&nbsp; ASE, CNS, CLS, MCNE, CCNA<BR>Director/Sr
>    Systems
>    > Consultant<BR>MMT Networks Pty Ltd<BR><A
>    >
>    href="[2]http://www.mmtnetworks.com.au">[3]http://www.mmtnetworks.com.
>    au</A><BR>Resellers
>    > for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet,
>    Sophos
>    > Anti-Virus, CA Products</DIV>
>    > <DIV>&nbsp;</DIV>
>    > <DIV>"I don't know the key to success, but the key to
>    failure<BR>&nbsp;is trying
>    > to please everybody." -Bill Cosby</DIV>
>    > <DIV>&nbsp;</DIV>
>    > <DIV>&nbsp;</DIV></BODY></HTML>
>    --
>    Best Regards,
>    Tony
>
> References
>
>    1. http://www.mmtnetworks.com.au/
>    2. http://www.mmtnetworks.com.au/
>    3. http://www.mmtnetworks.com.au</A


--

Best Regards,

Tony


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]