Date: Tue, 12 Aug 1997 11:20:38 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Philippe Regnauld <regnauld@deepo.prosa.dk> Cc: Jeff Aitken <jaitken@aitken.com>, freebsd-security@FreeBSD.ORG Subject: Re: post-break-in checklist? Message-ID: <Pine.BSF.3.95q.970812105957.5556B-100000@cyrus.watson.org> In-Reply-To: <19970812161107.40226@deepo.prosa.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
BTW, might want to suggest booting from the recovery floppy disk "(known to be untainted), and make sure not to use any utilities from the hard disk. Including ls, cksum, perl, etc. I can easily replace your cksum to give false checksums :). All binaries, as you say, should be treated as tainted. As should the kernel, the sources, etc. To be honest, a clean reinstall and then restoration of backup is the only way to go -- the possible locations for trojans are too prolific. So my modification of your list would be: 1. Be paranoid. Keep a log of everything. You'll kick yourself later if you discover you didn't write something down, and have forgotten the details, especially if you wish to press charges. 2. Boot to a CROM or recovery disk, known to be untainted 3. Verify the partition structure is as expected, and reinstall your boot blocks 3. Mount all partitions nosuid, nodev, noexec to /mnt after doing fsck 4. Copy your /etc to a trusted directory (preferably off of your MFS root), and put a restored copy of /etc somewhere nearby. Using a clean cksum, compare all files, as wel as disk consumption and directory structure. If you find differenes, determine if they are as a result of changes since backup, or something else. 5. Reinstall from a clean source (preferably CDROM) your core /bin to the hard disk, as well as new kernel source if you don't/can't run a GENERIC kernel. Reinstall or verify all other binaries against a trusted source -- if you cannot vierfy that a binary is unchanged, disable the binary and put it in a safe place. Make sure that the system libraries are among the files you check -- ideally, you would just find anything with the execute bit set, etc. It is important that ou make sure the kernel is rebuilt from a clean kernel source (and config file) as a change here would go easily unnoticed. Then jump back in on your list, I guess. This is just some preliminary thoughts -- there are a few more items I'd add: Install current FreeBSD patches (prevent future security incidents) -- post a modus operandi of the hacker and any hosts they came from to freebsd-security or some other place. Check all user home directories for any common problems --.rhosts, script things, .forward, etc. In the end, you are aways vulnerable to your users, but you can only do what you can do. The idea of the above list is to prevent trusting anything on the system that could have been tainted. In the end, it is pretty much everything. If you are extremely unlucky, they have modified your bios.cmos entries somewhow. With root access and w/o securelevels (and various other resitrictions) bad things can happen, like boot block modification. Robert Watson On Tue, 12 Aug 1997, Philippe Regnauld wrote: > Jeff Aitken writes: > > > As I recall, someone posted a post-breakin-checklist awhile back (I > > seem to think it was Karl Denninger, but I'm not sure). Anyway, I > > neglected to save a copy of it, and was wondering if anyone had such > > a beast handy. > > Don't have that list handy. But from experience: > > 1) be paranoid. > 2a) take the machine off the network right away > 2b) take it down to single user mode > 3) change all your passwords or close accounts until you can have > users change their passwords > 4) find all setuid/setgid binaries and compare against a recent backup > (you have a backup, don't you ?) or against another installation/ > media (the 2nd FreeBSD CD-Rom is perfect for this). Comparing > doesn't just mean size and date, run a checksum (md5) for each. > You can hack up a 5 line perl script that will run this for you. > 5) check every binary on your system, even not setuid -- even > 'ls' can be trapped the next time you run it as root > 6) inspect /etc/inetd.conf for unusual services, like: > > mysh stream tcp nowait root /bin/sh > > 7) check /etc/hosts.equiv and /root/.rhosts > 8) check the configuration for anything new in the startup > scripts > 9) if you're still alive, check the configuration for daemons > and servers (named, httpd, sshd, etc...) > > 10) recompile a fresh kernel > 11 - bonus) install tripwire, swatch, etc... > > > -- > -- Phil > > -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- > -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- > Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970812105957.5556B-100000>