Security Incidents mailing list archives
Re: backdoor
From: Jonas M Luster <jluster () d-fensive com>
Date: Sun, 23 Jun 2002 13:06:49 -0700
Quoting Hugo van der Kooij (hvdkooij () vanderkooij org):
hi, My box was compromised, and i cant rm a binary that listens over tcp, i need help support, watch:S.O.P. (Standard Operating Procedures) describe that a compromised box should be considere lost and be installed from scratch.
S.O.P: Someone broke into my house and stole my TV. Let's just go ahead and level the whole building and build a new one. S.O.P in this case stands for Severely Overreacting Professional.
From the SOP I usually hand out:
| What to do if your system appears compromised: | ============================================== | | * Ensure isolation on router/switch level. Do not prohibit traffic | out, but ensure the safety of your systems and the 'net. Some | systems are boobie-trapped to destroy themselves and all evidence | when put into isolation (simple ping, triggering a fdisk can do | that). | | * Perform standard forensic analysis on compromised system. Compare | MD5 or SHA checksums with those auto-archived during the install and | on a weekly basis (you don't have them? What are you doing on the | 'net calling yourself a professional or even administrator) | | * Can you - without the shadow of a doubt - explain the incident? If | yes, restore your system and go back to work. If not... | | * Ensure there are no boobietraps in the system that destroy evidence | when shutdown. Make sure you already checked memory and other | volatile parts of the system before shutting it down. | | * What are the implications of shutting the system down hard (pull the | plug? If you are unsure, check the 'net. Decide how to take the | system down. | | * Mount the system's HDs in a known safe machine. Mount r/o. | | * Perform standard forensic work - use TCT or TASK to do so. | | * Can you - without the shadow of a doubt - explain the incident? If | yes, restore your system and go back to work. If not... | | * Call someone who knows. Your system may not be the only compromised | system in the network. The way in might have been used elsewhere. | Ensure your network is safe. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
- Re: backdoor Jonas M Luster (Jun 23)
- Re: backdoor Kyle R. Hofmann (Jun 24)
- Message not available
- Re: backdoor Jonas M Luster (Jun 24)
- Re: backdoor Hugo van der Kooij (Jun 26)
- Re: backdoor Greg A. Woods (Jun 26)
- Re: backdoor Jonas M Luster (Jun 23)
- Message not available
- Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
- RE: [incidents] Re: backdoor Don Weber (Jun 26)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)