Date: Mon, 16 Feb 2004 18:54:25 -0800 From: richard childers / kg6hac <fscked@pacbell.net> To: freebsd-security@freebsd.org Subject: Re: Duncan's rooted system Message-ID: <40318261.1090908@pacbell.net> In-Reply-To: <20040216200052.D9AC516A4E6@hub.freebsd.org> References: <20040216200052.D9AC516A4E6@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Duncan writes: >Howyd all? Seems that I have been routed. Possibly >by a physical B&E, but who knows? Probably some >of you do.... anyways, some politically sensitive >email was deleted from a user account and the >line > >low -tr & > >inserted into my .xinitrc . > >Duncan (Dhu) Campbell > I didn't see a lot of feedback that struck me as useful, there, Duncan, in response to your description of events ... but let me add my two cents; it's always useful to get an objective perspective. First off, the 'low -tr' could be a red herring; it could be anything, or nothing. Second, looking for an executable 'low' may or may not be profitable depending on whether your executables or libraries have been compromised. Third of all, the first thing you should do is make some backups, preferably in single user. Think of these as photographs of the crime scene; they will be referred to later and must be of the highest quality. 4mm DAT, 8mm and DLT are all suitable media; so are CDs. (Indeed, periodically making 600 MB snapshots of critical pieces of your installation, using a CD burner, is one of the cheapest ways to archive your data; the cost per megabyte is cheaper than any other media I know.) All of your analysis should be carried out on files restored from these media and copied onto another, pristine, perhaps identical system; if it is identical this is advantageous because it expedites the process of (automate this, naturally) comparing the restored files against the installed files for relevant differences. When thinking about how to prevent this in the future, I would advise that you (1) automate the transfer of all system logs to electronic mail, off the server, for preservation against tampering (IE, mail yourself a copy of every log, to an offsite address, every day, so that you have a copy in a tamper-proof location) ... and (2), consider using command-line interfaces and living without X where possible. (Daemonized Networking Services strongly advises against installing X on servers; the advantages are few when compared to the disadvantages and maintenance overhead and vulnerability. We have nothing against X - I have personally been using X since R10V4, no kidding !! - but think that X deserves its own dedicated server and should not piggyback on other services. Of course, there are exceptions, and we have no desire to provoke a debate on this topic; this is, remember, just our free advice - worth about $0.02.) As for physical security, I would consider a webcam monitoring the console and even the approach to the console; again, by transferring the pictures offsite to another Internet locale that is (more) secure from tampering, one increases the probability that important evidence will be preserved, despite the best efforts of professionals to do otherwise. Using ssh or some form of encryption to secure the images against tampering, during transfer, is recommended. AXIS makes a nice line of Internet-ready and wireless security cameras; some even include audio and do streaming video. If you're interested in something more complex, a variety of VCRs exist that can handle multiple video streams (IE, multiple cameras) and even trigger off of activity in one specific region (not a quadrant, more like a quadrant of a quadrant) of the area monitored by a given camera. But at this point your security system will start to outstrip your local giant drugstore's and approach that of a bank's. (Daemonized Networking Services hosts www.orafraud.org ... and takes physical and network security -very- seriously.) Regards, -- richard -- Richard Childers / Senior Engineer Daemonized Networking Services 945 Taraval Street, #105 San Francisco, CA 94116 USA [011.]1.415.759.5571 http://www.daemonized.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40318261.1090908>