Darin.Perusich at cognigencorp.com
Mon Mar 18 13:55:41 EST 2002
there's an artical at
linuxsecurity.com/feature_stories/data-hiding-forensics.html about ways
to hide data in such a way that checksums, and md5sums do not matter,
very interesting read.
if you ask me the only way to deal with a compromised system it to wipe
it and start from scratch, and restore the content from a "known good
backup", known good being the key phrase.
this leaves the question, if systems ABC was compromised what about DEF,
XYZ, and so forth?
Robert Meyer wrote:
> > So, with all the knowledge here, I'd like to ask:
> > 1) What's the best way to deal with a compromised system?
> > 2) I used "find", "awk", "sed", "grep" to aide me with disseminating what
> > happened and what had been changed. Anyone know of a better way?
> > 3) I may have missed it, but has there ever been discussion (online or
> > offline) regarding computer security?
> The best way to deal with a compromised system is to start over by formatting
> the disk and reloading your data from backups (everyone keeps good backups,
> don't they :-). One of the problems with compromised systems is that some of
> the crackers (I don't use the word 'hacker' for criminals) are very good at
> hiding their tracks. Some of the best rootkits are real good at getting the
> original date of the files that they replace and use 'touch' (read the man
> page) to set the date of their newly installed executables/scripts to be the
> same as the originals. The hard part then, is finding out when the system was
> compromised so you know how far back in your backups to go to get something
> that wasn't damaged.
> In general, you'd like to keep two sets of backups if you can. One backup is a
> full backup of all of the filesystems that you use to recover the system in the
> event of a catastrophic failure. The second set is a backup of your data. If
> you put data on separate filesystems from the O/S, then you only need one
> backup set.
> A good rule of thumb is to try to keep archived backup sets for at least two
> years. You'd be surprised how far back I've had to go to get things.
> I've never been a fan of trying to 'clean' a compromised system because you can
> never be sure if you got everything. There are tools out there that store
> MD5SUMs of all of the critical files on your system. You would keep copies of
> these sums on another machine. Then if you suspect that a system has been
> compromised, you could mount the disk with 'sosuid', etc. and check the sums of
> all of the files. This takes quite a while (probably more time than a format
> and restore). You might want to keep spare disks around to restore your system
> to and then keep the compromised disk around to play forensics games with at
> your leisure.
> A great place to look for security information is a place called 'Security
> Focus' (http://securityfocus.com if you couldn't guess :-). If you want to get
> real paranoid, read this site a lot.
> Now that I've drifted way off the original topic, I'll shut up.
> Bob Meyer
> Knightwing Communications, Inc.
> 36 Cayuga Blvd
> Depew, NY 14043
> Phone: 716-308-8931 or 716-681-0076
> Meyer_RM at Yahoo.com
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
Unix Systems Administrator
darinper at cognigencorp.com
More information about the nflug