[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Rootkit



On Sunday 21 October 2007 22:38:52 Dave Burns wrote:
>
> You can trust the results if you reboot your system from a CD, with
> the caveat that there might be some new exploit that rkhunter and
> chkrootkit do not know about.  Or a bot that runs only in memory and
> so went away (for now) when you rebooted (only to return later
> probably).

>From my experience, rebooting a hacked system is not a pretty good idea, who 
knows if they have changed the origina "reboot" binary from a shellscript 
which delete logs, delete hard disk or whatever you might want to do in order 
to hide any proofs, in the end a logic bomb.
Rather than rebooting I, firstly plug off the network cable and try to be 
careful when collecting proofs and data in order to get as much information 
as possible before rebooting and making the final analysis.

>
> Even without rebooting, it gives your intruders one more thing to
> think about and bungle. If you attribute them with god-like powers of
> foresight and concentration, there's no point in trying to avoid
> intrusions - this god-like being will certainly know some unpublicized
> exploit and predict every countermeasure you take and set up some
> kernel hack that tells you everything is fine when it is not. On the
> other hand, if they are merely human, it will be worth the trouble.
> The lock on my front door can be picked, but I still lock it when I
> leave the house.
>
> Well, yeah. But how do you know you've got a rootkit and how do you
> figure out how you've been hacked? rkhunter or chkrootkit can tell you
> a lot about that, though it's true that they may tell you nothing.
> They're a couple of tools in the kit.

I do support the use of rkhunter or chkrootkit, I just said that you might 
need to use other systems, such like tripewire and stuff to have more primary 
sources to evalue if your systems is ok or you've had visitors :-)
Thank god in the majority of the cases they do nothing just a defaced or some 
stupid things.
I only had one case where the cracker did nothing out loud, so he didn't want 
to show his friends how cool or good he was, (which is in the other hand, the 
main reason for script-kiddies to try to hack systems), and we caught him 
cause he sent by error an email to "root". Othewise he was doing pretty well, 
no rootkits, nothing in /tmp...

>
> You are also assuming that it is practical to take the system offline.
> I'd say you definitely should have enough slack in your plans that you
> could take any particular machine offline and re-install it, but
> sometimes people find themselves facing unanticipated trade-offs and
> would like to have the option of doing something quicker though
> perhaps more risky. Well, let's hope we never go there.
>
> There's also the case where things are less clear cut - maybe there's
> something wrong,  but you don't yet know. I guess monitoring your
> network traffic may be less ambiguous, but hey, who's to say the
> hacker can't fool you there too? Whatever the intruder does, it is
> possible to try to camouflage it, given time and ingenuity. Just
> because there are stealth bombers doesn't mean you turn off your
> radar.
>
> Of course, all this makes me want to move "learn about snort" higher
> on my list of things I need to do.
>
> What method do you use to watch out for intrusion attempts?

Loads of them, I mean, I'm quite paranoic about security since I work in this 
field.
To evalue my general system security I use babel (http://babel.sf.net), then 
snort for some critical machines, tripewire and logcheck (run everynight and 
send me the results to the email) I run every hour netstat -putan | grep -i 
listen to see if I have any unexpect port listening on my systems.
I have also a very strong security policy regarding to passwords (Babel helps 
me to find out who's using a weak password...)
I have wrote some bash scripts to automatize som other security tasks I want 
to be awared of, such like last user logged, last IP...
I'll continue later, since I'm at the office and I have a meeting :-)

Best regards from Madrid :-)
Un saludo!

Manuel
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]