El dom, 29 de 06 de 2003 a las 02:15, Jason Lim escribió: > Okay... so supposing the whole system needs to be installed, we can make a > backup of the home directory now... but after we restore everything, what > is to stop the hacker immediately re-gaining access again? > > The server is a fully updated "stable" debian system. In fact, it was > updated just yesterday. > > I'm thinking that even if we do all the trouble of a complete > re-installation of the entire system, it won't fix this as it will get > re-hacked again, especailly since we can't see what is going on anymore. > > What do you think? :-(
You have to realize this is a normal step in the life of any sysadmin. So stop being worried and learn from it. 1.- Save all thats possible to save (homedirs, emails, homepages) 2.- Yeah, hard to believe an updated, all standard packages woody could be cracked. Its no normal, highschool script kiddie if he pulled that off (probably a college script kiddie though...;)...). Your box as is provides very good information, but you have to realize that, if you didnt take a couple of steps to forsee this, such as having a network flight recorder somewhere to do forensics on your dead box, its going to be hard to determine where and how did he got in. 2-1/2.- Do a list of ANY installed stuff that is not strict debian woody. I mean, web database administrators, counters, extra perl modules got from cpan (as oposed from apt-get isntall libperl...etc.). Its more probable that the first level vulnerability got in there (nevertheless, if you got hacked by a perl script, then the perl package, apache package or similar is borked). 3.- So, mirror your killed hard drive so that you can disect it later, set up the box again with certain limited things, say forbid cgi's and move to mod-perl and php, forbid ppl from having bash cgi's (since there is a good chance this is where they got in). What am i doing? I dunno, there is no checklist that will cover any site, this is what i would do and im not very experienced. But whatever you end up with, you should implement postmortem analysis capabilities to your site (couple of snort/tcpdump boxes and an actual formalization of your security policies will do). So policy is the thing here anyhow, work on that. Think of syslog-ng server, your tcpdump network capture server, snort ID analysys server, log analyzer for the syslog server. Once cracked all one can do is think better for the next time.
