Date: Sun, 23 Aug 1998 02:37:57 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: rabtter@aye.net (B. Richardson) Cc: hackers@FreeBSD.ORG Subject: Coping with a system breach... Message-ID: <199808230237.TAA20049@usr04.primenet.com> In-Reply-To: <Pine.SGI.3.95.980821185606.1979A-100000@orion.aye.net> from "B. Richardson" at Aug 21, 98 07:12:40 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> I have a problem with some hackers that are obsessed with making my > ISP's life miserable (they've already hacked our SGI). I've slapped > together a FreeBSD box to throw their webpages on it, turned off all > services except http. > > The hackers have expressed intent to break into our machines at > any opportunity (they seem to be infuriated that we intervened and > was able to keep a couple of services up on our SGI). > > The hackers relentlessly attacked our machine every time we tried to > bring our SGI online for a 48 hour stretch, and I believe that are > going to try to break into our new machines with the same fervor. > > What I want to do, if possible is build a uniq system such that binaries > from other systems will not run on it and vice versa. Is this possible? I am uncertain whether or not you are the ISP; you said "making my ISP's life miserable", and then you said "they've already hacked our SGI". The first thing to do is to log, to a different machine, all TCP and UDP packet source addresses for all inbound traffic. The other machine should have exactly one network port open: the one that you write the logs to. Alternately, use a serial console and a teletype (or serial printer wired in parallel with a dumb terminal). In any case, log the accesses by the hackers, and add their addresses to your firewall list. They can't be on every machine on the net. Then use the IP addresses to reverse lookup who owns the netblock they are coming from, and report them. This will have better teeth if you are willing to earnestly pursue wire fraud and criminal trespass charges against the perpetrators. If the crackers (a "hacker" is a programmer name for a programmer and/or someone who makes furniture with an axe) persist in the face of monitoring, then shut down everything you can. The easiest way to do this for TCP is to dump inbound packets for things the ISP lets customers do, but for which there are no servers inside the secure zone if those same services are exported to the net at large. For example, allow outbound IRC from your customers, but do not allow inbound packets to the IRC port that do not have the response bit set. You may want to consider not allowing inbound FTP connections; that is, your customers will have to use "ftp -p" to engage "passive mode", where the FTP connection is always initiated by the client, rather than the client telling the server via the control channel, and the server connecting back. Make sure you have disabled source routing, to mitigate the possibility of IP spoofing. In general, restrict inbound traffic to specific choke-points. If the crackers are your customers, when you catch them, then sue them for breach of contract (assuming you have an acceptable use policy in place; if not, the best you can do is civil charges and throw them off). Basically, you will need to be very careful. It would be helpful to have a full equipment list, and the reasons given for targetting the particular ISP in the first place (persistent SPAM relay, known easy target, whatever), but you would have a hard time justifying posting this to a public forum while you are under attack, and a hard time getting a useful response on all of the equipment from a single individual. If these guys got root, expect to have to reinstall the machine while it is off the network to remove any modified versions of "login" or anything else on the system. Otherwise, expect your system to cooperate in letting them back in. Expect that they have compromised other machines. If you have any NT or Windows 95/98 machines, look for "Back Orifice" (search for "windll.dll" on all drives to identify compromised machinees), etc.. Contact CERT and utilizing their site and other resources to protect you machines. Contact the FBI and Secret Service if the attack is from another state and/or country. In the worst case, expect to have to hire a security consultant for a pretty penny. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808230237.TAA20049>