From: Rick Moen
Subject: Re: More on being cracked
Date: Sun, 8 Sep 2002 20:17:02 +0000 (UTC)
Organization: If you lived here, you'd be $HOME already.
User-Agent: tin/1.5.13-20020703 ("Chop Suey!") (UNIX) (Linux/2.2.19 (i686))

Chris Olson wrote:

> Could be. I want to know how it got there.

A worthy goal. As I was saying, computer forensics is a large field of
study, on its own.

The first steps in formal forensics would be as follows:

(1) Immediately yank AC power to the compromised host upon determining
it to be compromised, shutting it off summarily without going through
shutdown. There are reasons for this, which we could go through but
I don't want to spend time on in this newsgroup article.

(2) Inform your management (if any). Inform law enforcement, if you
think you might wish to pursue any form of criminal investigation.
Law enforcement agencies may have particular requirements as to chain
of custody on evidence, and other matters, that they might need you to
comply with.

(3) Secure copies of logs from all other relevant hosts.

(4) Boot other media (a separate hard drive, an LNX-BBC disc, whatever
works for you), and create a bitwise copy of the compromised host's
filesystems. Do this in such a fashion that you avoid executing any
code from the compromised filesystems. Shut down, extract the
compromised system's original hard drive(s) as a reference copy, and
store for safekeeping.

(5) Boot up again, still using other boot media to avoid executing any
code from the replica of the compromised filesystems. Mount them.
Examine at your leisure (along with the preserved logfiles from
elsewhere), to attempt to find the entry point by tracing any
still-available signs of the intruder's actions.

(6) In parallel, you would of course also need to construct and deploy a
replacement host. You can safely reuse without particular scrutiny all
data files. (Safe from those files posing a renewed security threat, in
themselves. The intruder could of course have corrupted data files,
substituted fake files, etc.) You cannot reuse, but need to refer to,
the prior contents of /etc. You cannot reuse executables including
interpreted code and script files.

The CERT document I referred you to earlier,, has more.
(It's one of the few useful things CERT does.)

> After reviewing firewall logs from the log server, we've ruled out
> network intrusion and direct access from the outside.

Did you ever ssh or scp into the host from any other host? Then, please see .

I believe you said the host ran an sshd. Crypto, alas, is not magic
security pixie dust. SSH tunnels' security hinges on (1) authentication
of the remote host (to rule out man-in-the-middle attacks) and (2) the
assumption that _neither_ host has been compromised. Therefore, if you
ssh in from a compromised host, you lose.

(Point #1 refers to the problem of transporting host keys out of band,
in advance of the first SSH session. Most people just shrug off this
risk, and live with the possibility of MitM attacks.)

> Since I didn't deliberately download a rootkit/trojan tarball and
> install it....

Just for clarity: A rootkit is _not_ an attack tool. A rootkit is a
set of trojaned replacements for standard system utilities that the
intruder installs _after_ breakin, to conceal his presence as long as

Symlinking /root/.bash_history to /dev/null is an additional, incredibly
sloppy way to further that goal. Ditto erasing logfiles, disabling
syslogd, etc. (I say "incredibly sloppy" because it's a dead giveaway.)

If I may immodestly suggest it, again:

> Call it "unfocussed, randomly flailing paranoia" if you will, but until
> I know for sure where it came from, only then will I be able to
> determine if the same infected software has been installed on other
> machines here.

Suggestion: Since your working hypothesis is "infected software", find
it. If you fail to find it, that would tend to suggest the hypothesis
failed. (Personally, I very strongly doubt the hypothesis, ab initio.
But I don't think you're going to get very far if -- no offence -- you
didn't even know what a rootkit is and isn't.)

> Until that time of enlightenment, every source is suspect, including
> Debian's software vault, the 'test' packages for KDE that were
> installed on this machine, and several other sources.

Consider ramifications: If a major upstream repository started handing
out security-compromised software a week ago, odds are that it would be
all over the news by now. In this regard, unofficial apt repositories
always entail more inherent risk than official ones. Pick your poison.
But I'll lay very long odds against "boojums" from the two sources
you've cited specifically, on the evidential grounds just described.

Suggestions for further reading, after you recover from what was
undoubtedly a very troublesome and exhausting experience:

Crypto-gram. Comes out the 15th of each month. Essential.

The RISKS Digest. Irregularly issued. Essential. Funny as hell.

Firewalls and Internet Security, Wm. R. Cheswick and Steven M. Bellovin
Addison-Wesley, ISBN 0-201-63357-4
Steve tells me that the 2nd edition is due out Real Soon Now.

Real World Linux Security, by Bob Toxen
Prentice Hall, ISBN 0-13-028187-5
Generally good, though Toxen includes some dumb-ass recommendations that
actually drove me to offer to Bill Pollock of No Starch Press to write a
Linux security book of my own -- which I may do, if I can find an angle
that will distinguish mine from the crowd.

Running Linux, by Matt Welsh et alii.
O'Reilly, 3rd edition. ISBN 1-56592-469-X
A prerequisite for any hope of security is to understand your systems
and their environment. This is one place to start.

TCP/IP Network Administration, by Craig Hunt
O'Reilly, 3rd edition. ISBN 0-596-00297-1
And this is the other.

Cheers, "That article and its poster have been cancelled."
Rick Moen -- David B. O'Donnel, sysadmin for America Online