What to Do if You ve Been Hacked


What to Do if You've Been Hacked

Humor books aside, it is never fun trying to come up with worst-case scenarios, and it's even less fun trying to figure out how to survive them. Thinking about the day someone breaks into your carefully protected, what-seemed-secure network and compromises your system is harder still. Yet thinking about it ahead of time can ease the stress of that day and can also put that day further into the future.

You can take courses and even get certified in disaster recovery management, also called business continuity. So the suggestions offered here just scrape the surface, but following are some ideas to help you think out and plan for the day that no one wants to come and how to survive and recover from it. The job you save may be your own.

  • Don't just shut the network down. If the attack has ended, you let the attacker know you're on to him by yanking the cord. Give the security team a chance to catch the perpetrator if he returns.

  • Not everyone needs to know you've been attacked. If the attack came from inside, it wouldn't be a good idea to tell all the employees.

  • Head over to http://www.rootkit.nl/projects/rootkit_hunter.html and pick up a copy of the Rootkit Hunter. Rootkits are programs attackers leave behind so they can mess you up again. They are designed to hide themselves, but this application can help you find them. The bad news is that if a rootkit is found, you have to wipe the machine and start over.

  • After you've thought about it and decided the compromised machine is not really required on the network, take the machine offline. You may decide that the chances of your attacker coming back are slim, and so you don't want to try luring him back.

  • Start reviewing your log files, and store them somewhere else. Because log files can be edited they are just text files, after all there may still be useful information in them that can help you track down the attacker.

  • Check /etc/passwd for unauthorized users. Although you should be using shadow to store your genuine user passwords, invaders often create new users in /etc/passwd in hopes that some applications just check that file to confirm permissions. If you see a user you don't recognize or can't verify, remove it immediately.

  • Run lsof to obtain a list of open files. The p option can be used to specify a process ID number (such as a suspected user's shell) to limit the display to only those open files associated with them.

  • Run ps aux to check for unusual programs running on the system, and watch your cron job listing, too.

  • Check on /srv/www and make sure all your web pages are present, accounted for, and unchanged.

  • Check the contents of .bash_history in each of your user's home directories. Look for attempts to log in as the SuperUser or Root. If you find them, don't put that user under suspicion automatically; that user may have just been the unlucky account the attacker reached.

  • If you have a prior relationship with a security company, call them in right away. They can find things in the log files that an untrained observer won't.

  • Bring those backup tapes back and start checking them. Just because you noticed this attack doesn't necessarily mean it was the first time.

  • If you haven't done so already, develop a more formal disaster recovery plan !



SUSE Linux 10 Unleashed
SUSE Linux 10.0 Unleashed
ISBN: 0672327260
EAN: 2147483647
Year: 2003
Pages: 332

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net