On Sun, 21 Nov 2004 21:30:00 -0600, Ryan O'Rourke <tclug at ryanorourke.org> wrote:
> Mike Miller wrote:
> > I keep copies of ls and ps binaries on my system so that I can use them
> > if I think I've been cracked.
> 
> I don't understand what good that does if your system has been rooted
> though. Why can't an attacker just change those saved binaries as well?

An attacker could. I would pull down binary copies from a known-good
source, or use knoppix, etc. as you have.

> Now the question is - how do I go about figuring out how it was done?
> What kind of forensics can I do to turn this into a learning
> experience before I reformat and reinstall?

This is very often difficult to do, especially if you can not detect
how long your system has been compromised. If you wanted to make this
a forensics exercise, do not boot off that hard drive again. Check
things like file atimes and mtimes to see what files have been created
or modified recently. You can also research what rootkit was used, and
check out what other things that rootkit could have modified. You
could also try to 'honeypot' the system, and stick an in-line sniffer
in there to monitor system accesses.

> I'm kind of suspecting that one of my Windows users may be at fault
> here. Is it possible that one of them may have been compromised first
> and then the attacker used a password or key found in WinSCP to
> compromise my system? Or is it more likely the attack just came from
> the Internet directly through my one open port, past my router, past
> my firewall, and breached that way?

What was the open port?

Regardless, I would say that yes, a compromised Windows system is very
commonly the source of an attack.

Best of luck,

John

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list