Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Aug 1997 11:20:38 -0400 (EDT)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Philippe Regnauld <regnauld@deepo.prosa.dk>
Cc:        Jeff Aitken <jaitken@aitken.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: post-break-in checklist?
Message-ID:  <Pine.BSF.3.95q.970812105957.5556B-100000@cyrus.watson.org>
In-Reply-To: <19970812161107.40226@deepo.prosa.dk>

next in thread | previous in thread | raw e-mail | index | archive | help

BTW, might want to suggest booting from the recovery floppy disk "(known
to be untainted), and make sure not to use any utilities from the hard
disk.  Including ls, cksum, perl, etc.  I can easily replace your cksum to
give false checksums :).  All binaries, as you say, should be treated as
tainted.  As should the kernel, the sources, etc.  To be honest, a clean
reinstall and then restoration of backup is the only way to go -- the
possible locations for trojans are too prolific.

So my modification of your list would be:

1. Be paranoid. Keep a log of everything.  You'll kick yourself later if
you discover you didn't write something down, and have forgotten the
details, especially if you wish to press charges. 

2. Boot to a CROM or recovery disk, known to be untainted

3. Verify the partition structure is as expected, and reinstall your boot
blocks

3. Mount all partitions nosuid, nodev, noexec to /mnt after doing fsck

4. Copy your /etc to a trusted directory (preferably off of your MFS
root), and put a restored copy of /etc somewhere nearby.  Using a clean
cksum, compare all files, as wel as disk consumption and directory
structure.  If you find differenes, determine if they are as a result of
changes since backup, or something else. 

5. Reinstall from a clean source (preferably CDROM) your core /bin to the
hard disk, as well as new kernel source if you don't/can't run a GENERIC
kernel.  Reinstall or verify all other binaries against a trusted source
-- if you cannot vierfy that a binary is unchanged, disable the binary and
put it in a safe place.  Make sure that the system libraries are among the
files you check -- ideally, you would just find anything with the execute
bit set, etc.  It is important that ou make sure the kernel is rebuilt
from a clean kernel source (and config file) as a change here would go
easily unnoticed.

Then jump back in on your list, I guess.  This is just some preliminary
thoughts -- there are a few more items I'd add:

Install current FreeBSD patches (prevent future security incidents) --
post a modus operandi of the hacker and any hosts they came from to
freebsd-security or some other place.  Check all user home directories for
any common problems --.rhosts, script things, .forward, etc.  In the end,
you are aways vulnerable to your users, but you can only do what you can
do.  The idea of the above list is to prevent trusting anything on the
system that could have been tainted.  In the end, it is pretty much
everything.  If you are extremely unlucky, they have modified your
bios.cmos entries somewhow.  With root access and w/o securelevels (and
various other resitrictions) bad things can happen, like boot block
modification.

Robert Watson


On Tue, 12 Aug 1997, Philippe Regnauld wrote:

> Jeff Aitken writes:
> 
> > As I recall, someone posted a post-breakin-checklist awhile back (I
> > seem to think it was Karl Denninger, but I'm not sure).  Anyway, I
> > neglected to save a copy of it, and was wondering if anyone had such
> > a beast handy.
> 
> 	Don't have that list handy.  But from experience:
> 
> 	1) be paranoid.
> 	2a) take the machine off the network right away
> 	2b) take it down to single user mode
> 	3) change all your passwords or close accounts until you can have
> 	   users change their passwords
> 	4) find all setuid/setgid binaries and compare against a recent backup
> 	   (you have a backup, don't you ?) or against another installation/
> 	   media (the 2nd FreeBSD CD-Rom is perfect for this).  Comparing
> 	   doesn't just mean size and date, run a checksum (md5) for each.
> 	   You can hack up a 5 line perl script that will run this for you.
> 	5) check every binary on your system, even not setuid -- even
> 	   'ls' can be trapped the next time you run it as root
> 	6) inspect /etc/inetd.conf for unusual services, like:
> 
>         mysh   stream  tcp     nowait  root    /bin/sh
> 
> 	7) check /etc/hosts.equiv and /root/.rhosts
> 	8) check the configuration for anything new in the startup
> 	   scripts
> 	9) if you're still alive, check the configuration for daemons
> 	   and servers (named, httpd, sshd, etc...)
> 
> 	10) recompile a fresh kernel
> 	11 - bonus) install tripwire, swatch, etc...
> 
> 
> -- 
>                                                               -- Phil
> 
> -[ Philippe Regnauld  /  Systems Administrator  /  regnauld@deepo.prosa.dk ]-
> -[ Location.: +55.4N +11.3E        PGP Key: finger regnauld@hotel.prosa.dk ]-
> 


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970812105957.5556B-100000>