14.13. You ve Been Hacked

14.13. You've Been Hacked

If you discover that there is stranger in your network while the server stores information that may be disastrous to lose, I recommend disconnecting the server from the network at once and analyzing the system logs. It is better to make the server services unavailable for a couple of hours than to lose control over it altogether.

Start log analyzes by checking the system's configuration as explained in Section 12.3 . The reports of the log-analyzing programs before and after the break-in should be compared. This will help you determine what the hacker has done in the system. Remove any rootkits you discover.

As the next step, verify the checksums of all main files, especially of the configuration files from the /etc directory and of the executable files from the /bin directory. These files can be changed by hackers to plant a back door to the system and to remain in it unnoticed. Having found all changes, try to restore the affected files to their initial state.

Next, check the integrity of the installed modules. For this, execute the following command:

 rpm -qa  grep kernel 

Now, check all installed application packages. Restore any changed application packages to their initial state.

Next, check the integrity of updates for Linux and all services. Most break-ins are made possible because of outdated software. Update all software. Web scripts used by the Web server also have to be updated, because they also are common sources of break-ins.

If your server provides Web server services, I would not put the server back online until all of the Web scripts have been checked. Only then can you put the server back online and start close monitoring of the system.

Here is where you start analyzing logs to determine how exactly the hacker performed the break-in, simultaneously monitoring the running system. If the hacker tries to surreptitiously enter the system again, you should be able to detect this and stop this attempt before it's carried out so that you would not have to analyze and clean the system again.

While you are analyzing the logs, all users have to change their server login passwords and their passwords to all services.

You should determine the following from the log analyzes:

  • The services used by the hacker and in which logs the hacker's activity in the server is recorded

  • The parameters of the accounts the hacker was able to discover and use

  • The commands the hacker has executed

You should learn as much as possible to determine whether you have taken all steps necessary to prevent a subsequent break-in. Some administrators simply restore the server operation and some time later suffer the consequences by having to restore it again.

It is desirable to obtain as much information as possible about the hacker and to turn this information over to law-enforcement agencies. Don't try to always fight hackers on your own, because you cannot always win. Feeling invulnerable, hackers will continue breaking in, and with each break-in the chances increase that they will get what they are after. Ask the law enforcement agencies that have the appropriate jurisdiction and facilities to find and stop the hacker.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net