On Fri, 4 Jan 2002 19:43, Andy Bastien wrote: > > > Is it really necessary to buy new hard drives? Is there a reason why > > > he can't just reformat his current drives before reinstalling? > > > > Sure he can, if he wants to lose the evidence of what happened and lose > > the possibility to hand the drives over to law enforcement officials > > (which may be demanded of him even if he doesn't want it in the case that > > his machine was used to attack others). > > Good point! Having never dealt with the fuzz after being compromised,
Firstly please note that I don't have much first-hand experience with dealing with the police on such issues. The times when police issues have come up I've been too busy and let other people handle it - those people didn't disturb me so I never bothered finding out exactly what happened... Even if I did have detailed experience of such things it probably wouldn't apply in your jurisdiction - and the law is constantly changing anyway. > I have to ask what you would do if your server is a file server with > lots of big, expensive drives where a company might not be able to > afford replacing them all? Would they be happy with backups (keeping > in mind that any tools used to backup the server might no longer be > trustworthy)? How about disk images (made with dd, or something > similar) of the drives that contain the system stuff? OK. When I described replacing all hard drives I was referring to system disks with the OS and applications not data files. Keeping a backup of your news spool probably doesn't gain you much. Just use find on the data disks (the copy of find on the freshly installed un-cracked system on new system disks) to search for suspicious files (SUID, SGID, and executables where you least expect them). Also search for files and directories starting in '.' in locations where you don't expect them. Another thing to check for is the most recently changed files. On a web server the content may not have changed for a month, any files changed in the last week would be by the intruder... After copying and removing all suspicious files (make sure you use tar or cpio not cp so that permissions and time stamps are preserved) then the data disks will be ready for service again. Make sure that boot sectors are wiped as well (on a Debian installation use install-mbr on every disk that has a partition table). -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
