Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: Hackattack Response #2: STEP by STEP forensics for Linux and Windows

  1. #11
    Senior Member
    Join Date
    Sep 2005
    Posts
    332
    Well lets see, taking my limited security and pc forensic knowledge into account: it seems to me that the server is already pretty messed up if someone got root access. Even with my limited know-how i would have a back up server ready to go, and since i am always looking for a reason to smash things, i recently let a container of frosting go bad so i could use it as a baseball, i would most likely back up what i could/needed, take the comprimised server off-line, put the backup on-line, make a new back-up sever, then go out back and play full contact golf with the old server. problem fixed.
    \"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
    Benjamin Franklin

  2. #12
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by whizkid2300
    With the server still on. The attacker has access to it. They control the box.



    Instead of pulling the network connection you say turn the power off? Wow good idea, that way if they put something in init to erase any trace of them it's gone!



    It is better to drop a server for 3-5 hours to find out what's wrong with it, fix it and put it back up.
    I don't think anyone is going to disagree with me that this is horrible advice at best. Root meaning they have root, back up whats needed and reformat. "Fixing" a box that could have been modified with a new backdoored ls and kernel...


    And w and who do the same ****.
    Uhhhh no they don't. Who lists who's on the machine and what they are using. W lists uptime and a more brief spot on what's being used.

  3. #13
    Senior Member
    Join Date
    Sep 2005
    Posts
    332
    Gore:
    And if you take it down and I've patched the Kernel with a back door, no you can't fix it and pop it back up
    why not?
    I would think that anything that can be changed like that can be fixed as long as you know the premises behind the patchs logic. Granted i gues you would have to know there is a back door there in the first place, but wouldn't it still be possible, albeit harder, to fix and put back up?
    \"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
    Benjamin Franklin

  4. #14
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    It might be possible, but every Unix security book I own says if root is compirmised, you should back up what you need and format it because you can't tell what has beenpatched to let them back in with a back door. Ls for example and the Kernel are targets I've seen before. It's very risky to try and use a box after root has been taken over. You'd probably have to go over the source code of every app on the server...

  5. #15
    Senior Member
    Join Date
    Sep 2005
    Posts
    332
    So basically its possible, but so time consuming and next to impossible to assure a complete fix that you are better off just backing up starting over.

    Here's a question for ya, can a kernal be replaced? I ask this question under the assumption that the kernal is like built in proc, if this assumption is wrong please correct me.
    \"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
    Benjamin Franklin

  6. #16
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    The amount of work replacing a Kernel, as i said before, you'd be better off just formatting, WAY less time, and this is a server mind you, so you'd want the quickest solution possible, to get it back up.

  7. #17
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Well i you have the means to image the drive and work on an exact copy, Yes pulling the power cable would be a possible solution, and as you quite rightly said though, pulling a network cable, or the power one, I mean that HD is going to get turned back on eventually and if they added this to init:

    rm -rf /

    or

    rm -rf /var

    You have nothing to read in the form of logs.

  8. #18
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I can see what you are trying to say gore but your lack of practical experience is showing a bit. You cant just format a server willy nilly because you think someone has put a backdoor on it. A host or stand alone yes but not a server.

    A server by its very nature has a lot of important informtion on it as well an controlling a lot of network apps/protocols - so it should be backed up you will probably say - yes, it should and if it has, then there is no rush to get it formatted and back online as you said earlier. Simpily take it down, put the back-up online and you have all the time in the world to examine the compromised one.

  9. #19
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Nokia:

    Understood.

    Whiz:

    I banned you not Negative. You got your wish from a while back when you said "You might as well ban me because I'm not going to stop posting about you and what I think of you" so can you quit PM Neg? He didn't do it, I did. You attacked me for no reason and even Tiger Shark who never takes up for me has asked you to stop. Now knock it off, if you want to come back fine but that attitude towards everyone being below you has GOT to stop. If you actually read what I've said once in a while there wouldn't be a problem.

    Nokia:

    I haven't dealt with more than 5 servers and the books I have say you should always format. As you said, my inexperience shows.

  10. #20
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    Hey folks, this is obviously an academic exercise so please stand back a bit and look at the bigger picture.

    1. It is a production server
    2. It is an e-commerce deployment

    This introduces a number of practical considerations, particularly business continuity and legal requirements

    From a business viewpoint, you would have back up hardware, preferably at more than one location. You would be able to do a seamless shift from one to the other.

    From a legal viewpoint you need to be able to preserve the potential crime scene and determine what the extent of the compromise was.

    In REALITY the technical IT/Computer Forensics aspect is IRRELEVANT ...........we are talking about the very survival of your business operation.

    This is not a question about forensics, this is a question of your livelihood and all of your employees. It is not about getting your server back on line, it is about covering your a$$ when people take you to court, and keeping your business running.............in a way it is a "trick question"

    OH!....................and I happen to like sea otters

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •