Hackattack Response #2: STEP by STEP forensics for Linux and Windows
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Hackattack Response #2: STEP by STEP forensics for Linux and Windows

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    2

    Lightbulb Hacking attack Response: STEP by STEP forensics for Linux and Windows

    This has got potential to be a really good thread.

    Let's imagine the following scenario.

    One of your Red Hat servers has been compromised. The hacker has got root access. You want to know how did he get in.

    What are the steps and methodology that you apply as soon as you are sitted in the console in order to get the big picture as fast as possible? Have you got this scripted?

    EDIT: Let's assume this has to be a live analysis, we cannot afford to take it offline as it's a production server and every minute the server is down is worth several thousand dollars in cost.

    My steps. Feel free to add yours.

    [redhat@linux FC4]# w
    [redhat@linux FC4]# who
    [redhat@linux FC4]# ps -aux
    [redhat@linux FC4]# lsof -i
    [redhat@linux FC4]# netstat -an
    [redhat@linux FC4]# dmesg
    etc...

  2. #2
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I would probably take the machine offline, pull the hdd, mount it in another machine with noexec, readonly, nosuid and nodev, then dd a backup off it and hash the backup to verify its contents later. Then I would copy the dd'd backup to another machine mount it noexec... and start your forensics with your favorite set of tools. If you had a network ids up somewhere on the same network you may be able to find out exactly how they got in. With the copy of the filesystem you should be able to find out a lot about what they did once on the machine.

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Initially, you said the hacker has root; therefore, you are wasting your time typing those commands since you should operate under the assumption a rootkit has been applied/installed. You should have a CD on standby with statically linked versions of those commands, that way its a little harder for the commands to be hijaacked. Regardless, before I turned the system off, I'd use memdump to dump out everything thats running to removeable media. Browsing through memory can provide useful places for you to begin your search when you do go through the filesystem.

    After you get the memdump, you can use something like helix to boot from to get your image of the hdd. After that, as h3r3tic said, mount the image (though I'd add to mount it read-only and to take a md5 hash of both the memory image and the hdd image and would also consider making two copies and only playing with the second). You can then go to town looking for the evidence (helix comes with several tools) but you can also use something like autopsy (if you don't have the funds for something like encase) and use it to browse the not only the file system but slack space and through deleted files and for looking at MAC times (modify/access/created), which can be very useful for backtracking what the hacker did while in the system.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Junior Member
    Join Date
    Jan 2006
    Posts
    2
    Good tips there.

    But I forgot to include an IMPORTANT detail here.

    This is a production server, we are dealing with a critical server with a big database for an ecommerce application. Every minute that the server is offline costs the company several thousand dollars.

    From a business perspective, we cannot simply afford to take it offline, even assuming root compromise or that a rootkit has been installed.

    The first approach is to identify the incident, then contain it and then eradicate it. While always keeping it online, unless we detected that a major event has happened, such as credit numbers stolen.

    So let's assume we cannot take it offline and we have to find out as fast as possible what has happened and how to contain it.

    Let's see what are the steps and methodology we'd follow so that we can add detailed actions, tips, tricks and so on to the process.

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi devantionline

    Are you a former Enron employee?

    This is a production server, we are dealing with a critical server with a big database for an ecommerce application. Every minute that the server is offline costs the company several thousand dollars.
    You have now transcended IT, and your decision making ambit..............time to call in the corporate lawyers and look at damage limitation exercises..............as well as your government law enforcement agencies?

    You should have had a redundant back up server(S) shouldn't you?

    If you are the type who believes in fighting fires on the fly, then I would FIRE you!

    Your advice is verging on the criminally cretinous............you have obviously never had a proper job.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Your advice is verging on the criminally cretinous............you have obviously never had a proper job.
    Judging by the scenario, most likely a student with an assignment due Monday....

    Connection refused, try again later.

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Judging by the scenario, most likely a student with an assignment due Monday....
    Could be?..............hell a "compromised " e-commerce server, and leave it online

    Take it down immediately; or get sued by everyone who has their identity, credid card, bank account and other details stolen?

    That is why you pay corporate taxation..................for the FEDs?

    And if you p1$$ about like he is suggesting, you are compromising a CRIME SCENE!

    Ack! phtt!

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Originally posted here by nihil
    Take it down immediately; or get sued by everyone who has their identity, credid card, bank account and other details stolen?
    EXACTLY! Why in the world would you leave that timebomb online?

    I think Relyt was right, it may be an assignment that is due soon. If this is a real e-commerce server, please let me know which company this is so I never use their site again! Cripes!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Could someone do us all a favor and move this to tech humor.....

    Obviously we have a young wo/man with a healthy imagination and the desire to be a hero....

    Methinks, when s//herhe takes his high school computer science class s/he will see the error of his/her ways....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Wow, I think I've seen everything now. A newbie with a first post, posting way outta his/her depth. Getting a huffy replies from _nihil_, for crying out loud. AND, in serious danger of being eaten by Tiger Shark.

    I can die in peace now.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides