Root Compromise: Detection, Recovery, and Prevention/Deterrence
by Rick Moen
(See also files in http://linuxmafia.com/pub/linux/security/ .)


Detection
---------
Explain types of compromise.
Explain rootkits, common paths of compromise, common goals of intruders.
Quick checks: /usr/bin/login size (disadvantages)
Monitor log files, log analysis: messages, xferlog, utmp, wtmp, secure,
Check suid/sgid files, root-owned (others?)
Is network port in promiscuous mode? Should be noted on console, before
reboot/change in runlevel. (VMware uses promiscuous mode.)
Any filesystems much too large? Could be warez collections.
cron, at commands
/etc/passwd, /etc/shadow: Are there strange entries?
/etc/inetd.conf
/etc/hosts.deny, hosts.allow, hosts.equiv. .rhosts
Look for weird dotfiles "..." ".. ", etc.
Audit all nearby hosts, too.
Watch security advisories from CERT, Red Hat.

Recovery
--------
Document all steps. Coordinate with legal & management.
Should you monitor? Notify sysadmins? Prosecute? Report to authorities?
Create a trap?
Take it slowly and carefully. Have a colleague check your work.
Isolate system. This might mean cutting the machine's network
connection, or its LAN's. Might switch to runlevel 1.
Examine the initially-running machine state (processes, disk space,
RAM usage, system load) before changing anything.
Back up. Use boot floppy (e.g. Tom's root-boot), then dd over ssh, _or_
dd onto 2nd hard drive.
Examine nature & extent of break-in. /etc/* /var/log/*
Don't trust on-system tools, in so doing. Possibly mount
target filesystems on a fresh system, for examination.
Use rpm - ???? Does MD5 check. But this assumes integrity of
system's rpm database. Won't catch jiggered config or dotfiles.
Are user data files, Web pages, ftp archives, other data files OK?
Check for breakins to remote systems inside & outside company. OOB
communication. Look up NIC handles at
http://www.networksolutions.com/cgi-bin/whois/whois or other
appropriate whois server, use telephone rather than e-mail.
Check for logfiles from password/packet sniffers.
Check for rootkit files, canned-exploit tools. Look in /dev, /var,
unfamiliar home directories.
Install clean OS build + patches. (Follow prevention steps, below.
Set new passwords (after doing the above), password aging, password checking.
Selectively restore from backups (no system binaries or config files).
Restore home directories, system non-program data (Web pages, ftp
collections). Watch for .rhosts files.
Don't reconnect to network until the above is done.

Prevention/Deterrence
---------------------
Turn off unused services, CGI binaries
Use pared-down network daemons, if they meet your needs: ???ftpd instead
of wuftpd, boa instead of Apache, exim instead of sendmail.
Eschew plaintext-authentication network protocols, where possible. Use
ssh, ssh tunnels, scp. Don't use xhost, let alone "xhost +".
Set up hosts.deny, hosts.allow.
Apply security fixes. VA Linux, Red Hat, kernel.
Read rootshell (cum granum salis), CERT.
Don't allow remote login by root account. (/etc/securetty should not
include pttys.)
Add creation of root-owned, zero-length, perm. 000 .rhosts file
to adduser script. Retrofit to existing accounts.
Set selected filesystems read-only.
Run AIDE. Store its database (and rpm's) on write-protected media.
Install automatic analysis/notification of log contents
Carefully check ftp upload directories. Don't have files in anonymous
directory owned by ftp user.
Consider filtering routers or proxy gateways ("firewalls").
Write a security policy.
No "joe" or guest account.
No rw NFS exports. Consider exporting to specific IP addresses.