From owner-freebsd-hackers@FreeBSD.ORG Sat Jan 14 16:19:59 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 110D216A444 for ; Sat, 14 Jan 2006 16:19:59 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from komquats.com (S0106002078125c0c.gv.shawcable.net [24.108.150.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2250F43D45 for ; Sat, 14 Jan 2006 16:19:57 +0000 (GMT) (envelope-from Cy.Schubert@komquats.com) Received: from cwsys.cwsent.com (cwsys [10.1.1.1]) by komquats.com (Postfix) with ESMTP id D03D04C5D1; Sat, 14 Jan 2006 08:19:55 -0800 (PST) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.13.4/8.13.4) with ESMTP id k0EGJqN6091994; Sat, 14 Jan 2006 08:19:55 -0800 (PST) (envelope-from Cy.Schubert@komquats.com) Message-Id: <200601141619.k0EGJqN6091994@cwsys.cwsent.com> X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.0.4 From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.komquats.com/ To: "Daniel O'Connor" In-Reply-To: Message from "Daniel O'Connor" of "Sat, 14 Jan 2006 16:32:28 +1030." <200601141632.29709.doconnor@gsoft.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 14 Jan 2006 08:19:52 -0800 Sender: Cy.Schubert@komquats.com Cc: freebsd-hackers@freebsd.org, anchor Subject: Re: My machine been hacked, I need help X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Cy Schubert List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2006 16:19:59 -0000 In message <200601141632.29709.doconnor@gsoft.com.au>, "Daniel O'Connor" writes : > --nextPart1396418.se7W9MObOf > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > Content-Disposition: inline > > On Sat, 14 Jan 2006 14:35, anchor (sent by Nabble.com) wrote: > > My machine been hacked. The message file was modified. Old dated backup > > files are deleted. The last log was truncated. You are gurus. Would you > > please tell me where I can find out other trace file or logfiles to figu= > re > > out where the hacker come from? > > 1) Turn it off > 2) Put a new hard disk in it and install FreeBSD freshly on the new disk > 3) Mount the old disk read only and recover all the data you can (no =20 > executables) > 4) Do forensics on the old disk, and/or back it up to tape. > 5) Nuke the contents of the old disk. > > Basically it is really hard to trust any code run from the old disk although > as someone suggested DDB is most likely to be OK, but you never know :) Probably but if a KLD rootkit was installed, you can't even trust DDB. To be on the safe side, panic the system and capture a core dump. Then remove the hard disk and analyse that using one of the various analysis tools on the market. If you dd the disk to another disk or tape, it is likely that if you do discover the perpetrator and take him to court, your evidence will not be admissible. Only evidence collected by a forensic analysis tool is admissible in court. Cheers, Cy Schubert Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: Web: http://www.FreeBSD.org BC Government: "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper