| No one likes planning for the worst, which is why two thirds of people do not have wills. It is a scary thing to have your systems hacked: One or more criminals has broken through your carefully laid blocks and caused untold damage to the machine. Your boss, if you have one, will want a full report of what happened and why, and your users will want their email when they sit down at their desks in the morning. What to do? If you ever do get hacked, nothing will take the stress away entirely. However, if you take the time to prepare a proper response in advance, you should at least avoid premature aging. Here are some tips to get you started: Do not just pull the network cable out This alerts the hacker that he has been detected, which rules out any opportunities for security experts to monitor for that hacker returning and actually catch him. Only inform the people who need to know Your boss and other IT people are at the top of the list; other employees are not. Keep in mind that it could be one of the employees behind the attack, and this tips them off. If the machine is not required and you do not want to trace the attack, you can safely remove it from the network However, do not switch it off because some backdoors are only enabled when the system is rebooted. Take a copy of all the log files on the system and store them somewhere else These might have been tampered with, but they might contain nuggets of information. Check the /etc/passwd file and look for users you do not recognize Change all the passwords on the system, and remove bad users. Check the output of ps aux for unusual programs running Also check to see whether any cron jobs are set to run. Look in /var/www and see whether any web pages are there that should not be. Check the contents of the .bash_history files in the home directories of your users Are there any recent commands for your primary user? If you have worked with external security companies previously, call them in for a fresh audit Hand over all the logs you have, and explain the situation. They will be able to extract all the information from the logs that is possible. Start collating backup tapes from previous weeks and months Your system might have been hacked long before you noticed, so you might need to roll back the system more than once to find out when the attack actually succeeded. Download and install Rootkit Hunter from http://www.rootkit.nl/projects/rootkit_hunter.html This searches for (and removes) the types of files that bad guys leave behind for their return.
Keep your disaster recovery plan somewhere safe; saving it as a file on the machine in question is a very bad move! |
