Computer Forensics

[[Darth] Snowbeam]

Security has always been important to me, but recently I've been slacking
off. So I decided to take a couple of hours to clean up a couple of
machines I have here and there.

It all went well until I got to one of my oldest boxes. It was and old
486 with Red Hat Linux 5.1, it was my first attempt at using linux quite a
number of years ago. Quite frankly, applying patches and implementing
security measures was not even on my list. I was in my "Oooh, something
that looks like UNIX and let's me use editors and compilers like UNIX and
hey, I can do my c++ projects at home" phase. Lo and behold c++ projects
were over, I got a new PC and this was relegated to my basement. So, I
brought this box out of retirement and figured I could use it for
something. I jacked it into the network and mmmm, I was rolling (it was
nice to see RH as they were not all that long ago). Anyway, I started to
download RH updated, patches and you name it. In the process of this I
fell asleep. I woke up the next morning and the downloads to the machine
were complete. Now, here is the funny thing. I was woken up by the
machine's hard drive churning away, so I get online and do a process
listing. All  I can say is wow! Three people are logged onto my box doing
nothing, just idling there. I look at the home directories and they had
been created that night. One was "lamer" and I fail to recall the other
two right now. 

First thing I did was burst out in laughter. Hey, it's not every day
your box gets hacked. My humor stemmed from the fact that this was a
default install of RH Linux from just 4+ years ago. Something I had
installed with a minimalist understanding of Linux/UNIX at the time. Now
apply that to all new users of Linux today and the irony becomes apparent.

Well after I had composed myself, I took the box of the network. Now
what? My original plan was to update the security on the box for the hell
of it. These guys, had now provided me with an actual purpose. I decided
to do some computer forensics. Computer forensics is a pretty huge
subject, so I have abused the phrase in the sense that I only performed a
subset of the category.

So like I said, first thing was to take the compromised machine off the
network. I deactivated the newly created accounts. Using "find" I searched
for setuid and setgid files in /usr/sbin, /sbin and /etc (smile of
embarassment on my face). I searched for recently modified files and was
impressed. Some crontabs were modified, new versions of top, ps and a host
more existed. The crontabs were interesting in that they called scripts in
/usr/lib. The scripts purpose were to recreated the accounts I just
deactivated, pinged yahoo.com and when a good response was received, an
e-mail was sent to a yahoo address with my IP address. I turned all those
off. Now, one of the things I had downloaded that night was IPchains. I
needed to get this machine online again momentarily and figured install
it, get my tcp wrappers in order and voila I can get online. The moment I
was on, I had e-mail attempting to get out and connections attempting to
come in. I'll say it now, programs like ipchains and ipfilter, really are
good. By this point I figured that my box had been overly compromised. I
downloaded RH Linux 8.1 (I've already been asked why I'm sticking with the
same distro, answer is, let's see how much they've changed).

So, with all the knowledge here, I'd like to ask:

1) What's the best way to deal with a compromised system?
2) I used "find", "awk", "sed", "grep" to aide me with disseminating what
   happened and what had been changed. Anyone know of a better way?
3) I may have missed it, but has there ever been discussion (online or
   offline) regarding computer security?

---------
- [Darth] Snowbeam

"It is not fear that keeps the elephant wary of the mouse, it is his
wisdom that reminds him not to underestimate his opponent" -me