Transcript Presentation

UNIX Postmortem
Mark Henman
1
Introduction
For most system administrators,
there is no question that at some
point at least one of their systems
is going to be hijacked by
someone else.
This presentation should provide
enough information to help an
administrator quickly and
successfully recover from an
attack.
2
Discovery
Realize that you’ve been hacked
 Tools
 Observation

3
Realize that you’ve been
hacked

Crackers use to make themselves known
quickly
– Web site defacing
Today’s crackers hide
 Hijacked machine market

4
Tools
seccheck
 chkrootkit
 Tripwire
 Snort


Use more than one form of intrusion
detection.

Watch for intruders inside and out.
5
Trust Nothing!

Files may have been replaced
– Binaries
– Shared Libraries
– Kernel
6
Trust Nothing!
Disconnect the Network
 Shutdown the system
 Boot from a trusted hard drive
 Mount compromised file systems without
execute permissions

7
Examining The System
Log Files
 Changed system executables
 Shared libraries
 Viewed files
 Back doors
 Other network accessible systems

8
System Restoration
Backup user data
 Check for alterations
 Re-install the Operating System
 Restore user data

9
Follow-up
Harden the system against attack
 Check for abnormal behavior
 Bring the system back into service
 Monitor the log files

10
Conclusion
Don’t panic!
 Isolate quickly
 Examine slowly and carefully
 Protect the system from a repeat attack

11
Where to Get More Information
www.snort.org
 www.tripwire.org
 www.chkrootkit.org
 www.sans.org

12