Chapter 19. Finding and Repairing the Damage

At this point, you have detected a break-in. If your budget and preparation allowed it, it is assumed that you have switched to "Auxiliary Control," a Security Backup System (SecBack) that is to be used if the primary system is compromised. This will allow you more time to find the damage.

It is assumed that the crackers were possibly able to make themselves root and were clever. This means that you cannot trust anything on the disk or in memory. Hopefully, you ensured that log files were duplicated onto another system that was not penetrated, that you made periodic backups which are kept in secure storage, etc. Techniques for duplicating log files in real time are explained in "The syslogd and klogd Daemons" on page 686.

The topics covered in this chapter include:

• "Check Your /var/log Logs" on page 686

• "The syslogd and klogd Daemons" on page 686

• "Remote Logging" on page 686

• "Interpreting Log File Entries" on page 687

• "Check Other Logs" on page 694

• "Check TCP Wrapper Responses" on page 694

• "How the File System Can Be Damaged" on page 694

• "Planting False Data" on page 695

• "Altered Monitoring Programs" on page 695

• "Stuck in the House of Mirrors" on page 696

• "Getting Back in Control" on page 696

• "Finding Cracker-Altered Files" on page 697

• "Sealing the Crack" on page 704

• "Finding set-UID Programs" on page 705

• "Finding the mstream Trojan" on page 706