If you are physically present when an attack is happening and doing the following will not adversly affect any bussiness transactions, simply unplug the NIC until you can figure out what the intruder did and secure the box. Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box. (Phillip Hofmeister's wise advice)
If you really want to fix the compromise quickly, you should remove the
compromised host from your network and re-install the operating system from
scratch. This might not have any effect if you do not know how the intruder
got root. In this case you must check everything: firewall/file
integrity/loghost logfiles and so on. For more information on what to do
following a break-in, see
Sans' Incident Handling
CERT's Steps for
Recovering from a UNIX or NT System Compromise.
Remember that if you are sure the system has been compromised you cannot trust the software in it or any information that it gives back to you. Applications might have been troyanized, kernel modules might be installed, etc.
The best thing to do is a complete filesystem backup copy (using
dd) after booting from a safe medium. Debian GNU/Linux Cds can be
handily used for this since they provide a shell in console 2 when the
installation is started (jump to it using Alt+2 and pressing Enter). The shell
can be used to backup the information to another place (maybe a network file
server through NFS/FTP...) for analysis while the system is offline (or
If you are sure that there is only a troyan kernel module you can try to run the kernel image from the CD in rescue mode. Make sure to startup also in single mode so no other trojan processes run after the kernel.
If you wish to gather more information, the
tct (The Coroner's
Toolkit from Dan Farmer and Wietse Venema) package contains utilities which
perform a 'post mortem' of a system.
tct allows the user to
collect information about deleted files, running processes and more. See the
included documentation for more information.
Forensics analysis should be done always on the backup copy of the data, never on the data itself since it might be tampered through this analysis (and lost).
FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.
FIXME: talk on how to do a debsums on a stable system with the md5sums on CD and with the recovered filesystem restored on a separate partition.
Securing Debian Manual2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200