Archive-name: computer-security/compromise-faq Posting-frequency: monthly Last-Modified: 1994/04/12 Version: .5 Compromise: What if your Machines are Compromised by an Intruder. This FAQ deals with some suggestions for securing your Unix machine after it has already been compromised. Even if your machines have not been compromised, there are many helpful tips on securing machine in this paper. This is a beta FAQ that still needs much work. I would appreciate any suggestions. This FAQ will be posted monthly. 1. Try to trace/follow the intruder back to his origin via looking at a) who b) w c) last d) lastcomm e) netstat f) snmpnetstat g) and router information. Footnote: 'who', 'w', 'last', and 'lastcomm' are commands that rely on /var/adm/pacct, /usr/adm/wtmp, and /etc/utmp to report the information to you. Most backdoors will keep the intruder from being shown in these logs. Even if the intruder has not installed any backdoors yet, it is trivial to remove any detection in these logs. Suggestion: Install xinetd or tcp_wrapper that will log all connections to your machine to see if someone is knocking on its doors. It might be wise to monitor the intruder via some ethernet sniffer to see how he is exploiting his systems before taking corrective measures. 2. Close the machine from outside access. Remove from network to stop further access via intruder. If the intruder finds out that the administrator is unto him, he may try to hide his tracks by rm -rf /. 3. Check the binaries with the originals. Especially check the following binaries because they are commonly replaced backdoors for regaining access: a) /bin/login b) all the /usr/etc/in.* files (ie. in.telnetd) c) and /lib/libc.so.* (on Suns). Other commonly replaced backdoor binaries: a) netstat - allows hiding connections b) ps - allows hiding processes (ie Crack) c) ls - allows hiding directories d) ifconfig - hides the fact that promiscuity mode is on the ethernet e) sum - fools the checksum for binaries, not necessarily replaced anymore because its possible to change the checksum of the binaries to the correct value without modifying sum Another popular backdoor is suid'ing a common command (ie. /bin/time) to allow root access with regular accounts. To be thorough you may need to re-load the entire OS to make sure there are no backdoors. Tripwire helps prevent modifying binaries on the system, without the administrator knowing. 4. Implement some password scheme for your users to verify that they change their passwords often. Use Crack to make sure that users are picking passwords that are not guessable. 5. Check all the users' .rhosts and .forward files to make sure none of them are weird or out of the ordinary. If .rhosts file contains '+ +', the account can be accessed anywhere by anyone without a password. COPS has a scripts for checking .rhosts. 6. Check to make sure your NFS exports are not world writable to everyone. NFSwatch, a program by David Curry, will log any NFS transactions that are taking place. 7. Make sure you have implemented the newest sendmail daemon. Old sendmail daemons allowed remote execution of commands on any Unix machine. 8. Try to install all the security patches available from the vendor on your machine. 9. Do an rpcinfo -p on your machine to make sure it is not running any processes that are not needed. (ie. rexd). 10. Mail all the sites that you were able to find out that the intruder was going through and warn them. Also, CC: cert@cert.org 11. An efficent method in stopping many intruders from even trying your network is to install an effective firewall. Block all udp ports except DNS and NTP ports. Kill all source routing packets. Kill all ip-forwarding packets. Copyright This paper is Copyright (c) 1994 by Christopher Klaus Permission is hereby granted to give away free copies. You may distribute, transfer, or spread this paper. You may not to pretend that you wrote it. This copyright notice must be maintained in any copy made. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Address of Author Please send suggestions, updates, and comments to: Christopher Klaus -- Christopher William Klaus Email: cklaus@shadow.net Author:Inet Sec. Scanner 2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.