-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
> A lot depends on whether you want to watch/trace/prosecute/learn > from/annoy him, or if you just want him off your system. > > What I would do (since I like to do learn from the intrusions), is to > follow him around for a while. At minimum, find out what IP address he > is coming from and how he got into your machine. The source IP number isn't necessarily helpful - he could be coming from one of those places offering free shell access. And definitely follow the guy (if the attacker is a guy :) around - it won't help you to re-install and not know how they got in the first time around. > A simple packet sniffer for Debian can be obtained through `apt-get > install sniffit`, and then run `sniffit -I`. This will at least tell > you the open connections to your machine and the IP addresses. If you > want to see what he's doing, run a packet sniffer (tcpdump, though > sniffit can probably do it as well) to sniff packets to/from his IP. Hint: tcpdump -w <filename> -i eth0 host <hostname> is really usefull. Especially if the attacker is stupid enough to do their work through telnet. > The syslog is probably the best place to find how he got into your > system. But it might have been tampered with. If you think it's a > fairly recent attack, look around your directories a bit with an `ls > -lart` to show all recently-changed entries. Script kiddie tools are > easily found this way, though better hackers can hide their tracks. Especially since they can just do a "rm -rf /var/log" - yes I've seen that happen. > Finally, don't trust the output of ps (it may be one that hides their > tracks), login could have been replaced to have a backdoor and log your > passwords, etc. Definitely. Note that an "unusual" ps output can tip you off to their presence. Witness this output from a compromised RH6.2 system I claned up: USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND nobody 515 0.0 0.2 1888 140 ? S Oct 11 0:00 proftpd (accepting co nobody 3621 0.0 3.4 6720 2204 ? S Oct 15 0:00 httpd nobody 3622 0.0 3.3 6708 2116 ? S Oct 15 0:00 httpd nobody 3623 0.0 3.3 6708 2112 ? S Oct 15 0:00 httpd nobody 3624 0.0 3.5 6720 2240 ? S Oct 15 0:00 httpd nobody 3625 0.0 3.4 6720 2200 ? S Oct 15 0:00 httpd nobody 3626 0.0 3.3 6708 2132 ? S Oct 15 0:00 httpd nobody 3627 0.0 2.4 6708 1528 ? S Oct 15 0:00 httpd nobody 3628 0.0 2.6 6720 1688 ? S Oct 15 0:00 httpd root 1 0.0 0.1 1120 124 ? S Oct 11 0:07 init root 3 0.0 0.0 0 0 ? SW Oct 11 0:01 (kupdate) root 4 0.0 0.0 0 0 ? SW Oct 11 0:00 (kpiod) root 6 0.0 0.0 0 0 ? SW<Oct 11 0:00 (mdrecoveryd) root 386 0.0 0.2 1420 172 ? S Oct 11 0:00 klogd root 400 0.0 0.2 1328 132 ? S Oct 11 0:00 crond root 414 0.0 0.6 1168 404 ? S Oct 11 0:00 inetd root 484 0.0 0.1 1144 72 S0 S Oct 11 0:00 gpm -t ms root 498 0.0 1.0 6576 684 ? S Oct 11 0:03 httpd root 589 0.0 0.0 900 16 ? S Oct 11 0:00 papd root 640 0.0 0.0 1092 0 2 SW Oct 11 0:00 (mingetty) root 641 0.0 0.0 1092 0 3 SW Oct 11 0:00 (mingetty) root 643 0.0 0.0 1092 0 5 SW Oct 11 0:00 (mingetty) root 644 0.0 0.0 1092 0 6 SW Oct 11 0:00 (mingetty) root 672 0.0 1.1 2192 736 ? S Oct 11 1:12 nmbd root 699 0.0 0.5 2660 320 ? S Oct 11 0:00 xdm root 23287 0.0 8.8 13036 5580 ? S N 18:14 0:15 ./quake2 +set dedicat root 23290 0.0 0.6 1092 404 4 S 18:14 0:00 /sbin/mingetty tty4 root 23551 0.0 0.6 1092 404 1 S 18:37 0:00 /sbin/mingetty tty1 root 24012 0.0 0.7 924 464 ? S 01:06 0:00 in.telnetd root 24752 0.0 0.7 924 468 ? S 01:19 0:00 in.telnetd Note the absence of various programs, especially bash shells associated with the telnet processes, or even my own login shell (I was logged in as 'pbrutsch') :) > You might run nmap against your own machine to check if any additional > ports were enabled. Additional ports aren't always opened. Although if you catch them at the right time you might find their remote root shell before they cose it... > Once figure out how your machine was compromised (watching other > machines get attacked from your own may give a clue here) then check the > IP he's coming from and see if it was compromised in the same way. If > so, notify the owner. If not, then this is the hacker's home box and > you should contact his ISP (or the authorities). That's not always a possibility. I've seen stolen PPP accounts used; I've also seen attackers come from a site offering free shell access, without enough information on how to track down their user ID. - -- - ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6B3RD/ZTSZFDeHPwRAl1YAKCbUkilEAorHGxfG2eVip4Pr/uq2gCdFdlu z3zWabX121Ib1OZN4DQV4qI= =n2NE -----END PGP SIGNATURE-----
