Need urgent help regarding security
Will Maier
willmaier at ml1.net
Wed Nov 16 18:06:22 PST 2005
On Wed, Nov 16, 2005 at 05:25:52PM -0800, Mark Jayson Alvarez wrote:
> However, we still haven't brought the server down in an attempt to
> track the intruder down. Right now we are clueless as to what we
> need to do.. Most of our servers are running legacy operating
> systems(old versions mostly freebsd) Also, that particular server
> is running - ProFTPD Version 1.2.4 which someone have suggested to
> have a known vulnerability..
You should take the box off the network immediately. Before doing
so, get a dump of all open files using lsof(8), especially open
network sockets. The following is a start:
<as root>
$ lsof -Pni > /root/openfiles.txt
Do not use shutdown(8) or reboot(8) to shut the machine down, as
these may trigger scripts that could remove or obfuscate evidence of
the breakin. Simply powering the machine off will leave it in a
relatively pristine state.
The machine will need to be rebuilt, and all passwords on it
retired. Consider whether the attacker could have compromised other
systems on your network via this machine; if so, change relevant
passwords and investigate further.
Do not boot from the compromised hard disk again; instead, mount it
on a safe machine and take a disk image. Do not alter the disk
itself -- all investigation should occur using copies of the image.
If the other machines are in a state similar to the compromised
machine (in terms of OS upgrades, software upgrades, exposure),
develop a plan to bring them to a known safe/protected level.
At a minimum, unnecessary services should be turned off, strict
password requirements should be set, and all software (OS and third
party) should be updated.
For extra credit:
Using the image and the dump of open files, try to determine the
vector used to launch the attack. Understanding how they got in
might help you as you move to secure your other machines.
You're going to have rather a lot of work to do, unfortunately,
which is a rough way to start at your new job. If the previous admin
had kept the machines up to date, the likelihood that you'd have to
respond to a security incident on unfamiliar systems would be
dramatically lessened. Do the next admin a favor: keep these
machines secure after you rebuild them.
--
o--------------------------{ Will Maier }--------------------------o
| jabber:..wcmaier at jabber.ccc.de | email:..........wcmaier at ml1.net |
| \.........wcmaier at cae.wisc.edu | \..........wcmaier at cae.wisc.edu |
*------------------[ BSD Unix: Live Free or Die ]------------------*
More information about the freebsd-security
mailing list