|< Day Day Up >|
When your computer is broken into, use Knoppix to collect all of the forensics data for later analysis .
Possibly the worst sentence for a system administrator to hear is "The server has been hacked." If you take pride in the systems you run, finding out some vandal is having his way with your server makes you feel, well, violated. When your system gets hacked, and you want to track down the attacker, or at least how he hacked it, you must collect forensics data from the server.
An excellent tool for collecting forensics data is the Coroner's Toolkit (http://www.porcupine.org/forensics/tct.html). Two of the tools from this toolkit, unrm and lazarus , are covered in [Hack #58] . The tool you should use to collect forensics data is called grave-robber . Grave-robber scans the system and collects as much useful information as it can (and it collects a lot) so that it can be pored through at a later date. You want to get as much data from the current state of the computer as possible; if you need to format and put the system back into service quickly, you can still see the state at which the machine was compromised.
With a Knoppix disc, you can either boot onto the compromised server and scan the hard drives directly, or work with an image of the compromised server's hard drives. Grave-robber refers to this type of machine as a corpse , because (besides the TCT author's fondness for grave metaphors) the machine is no longer live. In fact, if you can, follow the steps in [Hack #48] to create an image of your drive, so that you can leave the original alone and do all of your work from the copy. Grave-robber can potentially generate a few megabytes of output, depending on the size of the drive scanned and the data it collects. Keep this drive in as pristine a state as possible by finding some other media, such as another hard drive on the system, a USB drive, or a network share, to store the data. The default is to save all data in /var/cache/tct/data , but as that directory is running from the ramdisk under Knoppix, not only does it not have enough room to store the data, the data is erased once Knoppix is shut down. So find a larger, more permanent place to store everything.
Mount both drives, and then start the script command as root, so that you can review the verbose output from grave-robber at a later date and follow the process of grave-robber :
knoppix@ttyp0[knoppix]$ sudo mount /dev/hda1 /mnt/hda1 knoppix@ttyp0[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1 knoppix@ttyp0[knoppix]$ sudo mkdir /mnt/hdb1 /data knoppix@ttyp0[knoppix]$ sudo script /mnt/hdb1 /grave-robber-output Script started on Tue Jul 13 21:53:20 2004 root@0[knoppix]#
Replace /dev/hda1 with the drive from which you want to collect data, and replace /dev/hdb1 with the drive to which you want to save data. The script command saves all input and output from the terminal into /mnt/hdb1/grave-robber-output so you can review your steps. If you run script with sudo , you should now have a root prompt to run the grave-robber command:
root@0[knoppix]# grave-robber -c /mnt/hda1 -o LINUX2 -d /mnt/hdb1 /data -v
The -c argument tells grave-robber that instead of scanning the current machine (the default), to scan a corpse mounted at a specified directory, in this case /mnt/hda1 . The -o option tells grave-robber which OS the corpse was running and is required if you are scanning a corpse. This example was scanned on a Linux system, but grave-robber also supports FreeBSD, OpenBSD, and other OSes (view the manpage for the current list). The -d option specifies where to save the data grave-robber collects, and the -v option gives verbose output, so you can see each step grave-robber takes.
Once the command completes, type the following command to exit the screen and get back to a normal prompt:
root@0[knoppix]# exit Script done, file is /mnt/hdb1/grave-robber-output knoppix@ttyp0[knoppix]$
Most of files that grave-robber creates are readable only by root, so they are simpler to browse if you click K Menu KNOPPIX Root Shell to open a root terminal. Now change to the data directory that you have created to browse through the grave-robber output:
root@ttyp0[knoppix]# cd /mnt/hdb1/data root@ttyp0[data]# ls body body.S command_out conf_vault icat proc trust
If you understand how grave-robber organizes the output, you have a good point at which to start the analysis. Here are a few of the important files and directories:
classhoststart_time bodyKnoppix1089770144 md5filest_devst_inost_modest_lsst_nlinkst_uidst_gidst_rdev st_sizest_atimest_mtimest_ctimest_blksizest_blocks 000/mnt/hda1/var6144035272216877drwxr-xr-x 16000204810848178101075129507107627799140964 000/mnt/hda1/var/yp614403219011016877drwxr-xr-x 3000204810848178101084660839108466083940964 000/mnt/hda1/var/yp/binding614403359981416877drwxr-xr-x 2000204810848178101005606373107627797740964 c282385f892919eb4135dd333096fa06/mnt/hda1/var/yp/Makefile6144033599692 33188-rw-r--r--100016868108466083910840095301084660839409633 e8407552a8b0c1447940b81fc1ad57a4/mnt/hda1/var/yp/nicknames6144033599934 33188-rw-r--r--100018510847224491003331481107627797840961
Computer forensics is a complicated subject that requires a lot of time and experience and is outside the scope of this hack. For more information on forensics analysis, visit http://www.cert.org.
|< Day Day Up >|