On Sun, 21 Nov 2004, Ryan O'Rourke wrote:

> Mike Miller wrote:
>
>> I keep copies of ls and ps binaries on my system so that I can use them 
>> if I think I've been cracked.
>
> I don't understand what good that does if your system has been rooted 
> though. Why can't an attacker just change those saved binaries as well?

They *could*, but they usually won't.  I change the names to something 
like orignal_ls and original_ps and put them in place that isn't in the 
path.  You have to understand that most people who break into your 
computer are not spending much time dealing with the intricacies of your 
system.  They just run some script that makes some stock changes and 
that's it.

If you want to be doubly careful, you could keep a copy of the binaries on 
a cd or floppy, then scp them to your box to make comparisons.  You could 
make md5 checksums to see if files are changed.

I haven't used tripwire, but that will allow you to do some of this kind 
of stuff automatically.


> Well, after booting from a Knoppix cd, mounting my drives, and running 
> chkrootkit on them I get "Checking 'su' ... INFECTED". Not a good sign.
>
> Now the question is - how do I go about figuring out how it was done? 
> What kind of forensics can I do to turn this into a learning experience 
> before I reformat and reinstall?

When it has happened to me, I've been able to put a proper ps file on the 
system, look at the processes they are running and figure out more about 
what happened.  I also could look at logs of attempts to connect to 
various ports and I could see how they were getting in.


> I'm kind of suspecting that one of my Windows users may be at fault 
> here. Is it possible that one of them may have been compromised first 
> and then the attacker used a password or key found in WinSCP to 
> compromise my system? Or is it more likely the attack just came from the 
> Internet directly through my one open port, past my router, past my 
> firewall, and breached that way?

If I knew more, I'd tell you.

Best,

Mike

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list