[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual
Chapter 10 - After the compromise

10.1 General behavior

If you are physically present when an attack is happening and doing the following will not adversly affect any bussiness transactions, simply unplug the NIC until you can figure out what the intruder did and secure the box. Disabling the network at layer 1 is the only true way to keep the attacker out of the compromised box. (Phillip Hofmeister's wise advice)

If you really want to fix the compromise quickly, you should remove the compromised host from your network and re-install the operating system from scratch. This might not have any effect if you do not know how the intruder got root. In this case you must check everything: firewall/file integrity/loghost logfiles and so on. For more information on what to do following a break-in, see Sans' Incident Handling Guide or CERT's Steps for Recovering from a UNIX or NT System Compromise.

10.2 Backing up the system

Remember that if you are sure the system has been compromised you cannot trust the software in it or any information that it gives back to you. Applications might have been troyanized, kernel modules might be installed, etc.

The best thing to do is a complete filesystem backup copy (using dd) after booting from a safe medium. Debian GNU/Linux Cds can be handily used for this since they provide a shell in console 2 when the installation is started (jump to it using Alt+2 and pressing Enter). The shell can be used to backup the information to another place (maybe a network file server through NFS/FTP...) for analysis while the system is offline (or reinstalled).

If you are sure that there is only a troyan kernel module you can try to run the kernel image from the CD in rescue mode. Make sure to startup also in single mode so no other trojan processes run after the kernel.

10.3 Forensics analysis

If you wish to gather more information, the tct (The Coroner's Toolkit from Dan Farmer and Wietse Venema) package contains utilities which perform a 'post mortem' of a system. tct allows the user to collect information about deleted files, running processes and more. See the included documentation for more information.

Forensics analysis should be done always on the backup copy of the data, never on the data itself since it might be tampered through this analysis (and lost).

FIXME: This paragraph will hopefully provide more information about forensics in a Debian system in the coming future.

FIXME: talk on how to do a debsums on a stable system with the md5sums on CD and with the recovered filesystem restored on a separate partition.

[ previous ] [ Contents ] [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ A ] [ B ] [ C ] [ D ] [ E ] [ F ] [ next ]

Securing Debian Manual

2.5 (beta) 29 augusti 2002Sat, 17 Aug 2002 12:23:36 +0200
Javier Fernández-Sanguino Peña jfs@computer.org