Forensics On a Cracked Linux Server 219
This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.
Re:Further discussion... (Score:5, Interesting)
For example, one of Vodafone Greece's first reactions to finding that some of their switching systems had been rootkitted was to remove the offending software. This removal was one of the main contributing factors to the authorities having no chance to ever find the group that had compromised the system, that along with a couple of other screwups led to Vodafone getting fined a pretty hefty sum.
http://en.wikipedia.org/wiki/Greek_telephone_tapp
IEEE Spectrum had a recent article that had MUCH better information than Wikipedia though, I don't have it with me at the moment unfortunately.
Re:Yeah obvious FUD article (Score:3, Interesting)
Re:Forensics (Score:1, Interesting)
lrwxr-xr-x 1 root wheel 11 Dec 20 2006
I'm pretty sure it is. I didn't use any crazy exploits or anything. It's an old computer that I once had access too when I was in school. It's just a lesser used machine and all I use it for is bit torrent (on a
I created a few users such as "apache" and "sendmail". I'm not claiming to be a haxor by any means, and I just use it, like I said, for bit torrent.
'apache's root directory is actually a mounted DMG file that I have mounted to
With OSX it's pretty easy.
Create DMG:
Attach DMG:
Detach DMG:
128 bit encryption on that home directory. No one really questions large files in
Who needs clever hacks? (Score:3, Interesting)
It's pretty appalling. We would need an army of sysadmins--an army which is currently employed already--to really do something about it. Most of what we see are primitive script kiddie hacks, but guess what--that's good enough, and rarely are the perpetrators hunted down.
Who knows what the more sophisticated hackers are up to!
Re:How did he get access and On tools (Score:3, Interesting)
The IRC-bot creators seem to be among the worst of the script kiddies. Frankly, IRC should go the way of open relays. Too much of the traffic is illegitimate to justify allowing it through any firewalls or any ISP provided system. It should be blocked even before non-ISP-server bound SMTP, simply for damage control.
Re:Forensics (Score:2, Interesting)
Re:Who needs clever hacks? (Score:2, Interesting)
It's more about 2 screwed up business models (If you look at it from a technical point of view).
They want cheap servers with bandwidth, buy cheap servers and buy shitloads of bandwidth. Offer them for really cheap prices ( 10,000 Servers. They may have five or six people on a shift for maintaining these systems. These guys are responsible for patch management and backup/restore, plus they have to physically replace the systems which crash (Usually there is very little forensics done. It's down, yank the box replace it and restore. This usually happens to about 15 boxes a week. Plus you have the hardware update cycle. There's another 100+ getting yanked per week). So these guys are usually pretty busy. There are only a few guys who actually look at the system and try and determine why it is running slow, but they aren't there to fix problems. There in place to tell customers they have a problem and tell them that they need to fix it or let them restore it(very very nicely). They aren't there to go through the intricacies of a hack.
Comp 2) Some guys heard about this web thingy and heard he can make money doing it. He knows very well that he can't have less than a full server for his 12 orders a week. Of course he originally thought it would be thousands, especially since he went out and had a professional build the whole site for him for $500 (looks good). He occassionally calls this guy up to update his site for $50 (content mind you).
So now we have 2 business's with interest in a server and neither one gives a shit about security. (Of course the techs working Company 1 do, but they don't have time for that)
Which brings us to Comp 3. These are the guys Comp2 turns to when their server isn't fixed or keeps crashing due to poor security. They charge 10% more, but this time Comp2 asks them about security. Comp3 answers yes we are vigilant about security "We do patch management and are vigilant about monitoring for hackers". "Ahh, you monitor for hackers" Comp2 says "I'll take it". Never realizing that he is getting no more than what he was getting from Comp1.
But won't Comp1 go out of business? No Comp1 is getting Comp3's old customers for the same problem.
Basically if you aren't paying $250/month for computer and bandwidth and paying $300 for management of a system, your getting a Dell Dimension in a barn somewhere. And Odd's are pretty good that a hacker is going to get it or a cow is going to shit on it.
Virtual machines rule... (Score:3, Interesting)
If I did care, I could either suspend the virtual machine or make a snapshot of it.
Virtual machines are cool
If you don't run machines in a VM, I believe the proper way to do forensics is to pull the plug (not sure if attackers would tamper with fsync) then make a copy of the drive using hardware that is certified to block writes to the drive - there are few vendors about selling such hardware and software to go with it. Google should show up a few.
If you do it any other way, any evidence gathered could be considered suspect or tampered with by the defense, or you could accidentally destroy your evidence, or you could be allowing the attacker to destroy the evidence.
Doing what the chap did in the article is definitely not "forensics", anymore than stomping all over a murder scene while touching everything is forensics or a proper investigation.