Computer Forensics

[Ronald Maggio]

----- Original Message -----
From: "[Darth] Snowbeam" <linux at snowbeam.dyndns.org>
To: "Niagara Frontier Linux Users Group" <nflug at nflug.org>
Sent: Sunday, March 17, 2002 6:14 PM
Subject: Computer Forensics


> Security has always been important to me, but recently I've been slacking
> off. So I decided to take a couple of hours to clean up a couple of
> machines I have here and there.
>
> It all went well until I got to one of my oldest boxes. It was and old
> 486 with Red Hat Linux 5.1, it was my first attempt at using linux quite a
> number of years ago. Quite frankly, applying patches and implementing
> security measures was not even on my list. I was in my "Oooh, something
> that looks like UNIX and let's me use editors and compilers like UNIX and
> hey, I can do my c++ projects at home" phase. Lo and behold c++ projects
> were over, I got a new PC and this was relegated to my basement. So, I
> brought this box out of retirement and figured I could use it for
> something. I jacked it into the network and mmmm, I was rolling (it was
> nice to see RH as they were not all that long ago). Anyway, I started to
> download RH updated, patches and you name it. In the process of this I
> fell asleep. I woke up the next morning and the downloads to the machine
> were complete. Now, here is the funny thing. I was woken up by the
> machine's hard drive churning away, so I get online and do a process
> listing. All  I can say is wow! Three people are logged onto my box doing
> nothing, just idling there. I look at the home directories and they had
> been created that night. One was "lamer" and I fail to recall the other
> two right now.
>
> First thing I did was burst out in laughter. Hey, it's not every day
> your box gets hacked. My humor stemmed from the fact that this was a
> default install of RH Linux from just 4+ years ago. Something I had
> installed with a minimalist understanding of Linux/UNIX at the time. Now
> apply that to all new users of Linux today and the irony becomes apparent.
>
> Well after I had composed myself, I took the box of the network. Now
> what? My original plan was to update the security on the box for the hell
> of it. These guys, had now provided me with an actual purpose. I decided
> to do some computer forensics. Computer forensics is a pretty huge
> subject, so I have abused the phrase in the sense that I only performed a
> subset of the category.
>
> So like I said, first thing was to take the compromised machine off the
> network. I deactivated the newly created accounts. Using "find" I searched
> for setuid and setgid files in /usr/sbin, /sbin and /etc (smile of
> embarassment on my face). I searched for recently modified files and was
> impressed. Some crontabs were modified, new versions of top, ps and a host
> more existed. The crontabs were interesting in that they called scripts in
> /usr/lib. The scripts purpose were to recreated the accounts I just
> deactivated, pinged yahoo.com and when a good response was received, an
> e-mail was sent to a yahoo address with my IP address. I turned all those
> off. Now, one of the things I had downloaded that night was IPchains. I
> needed to get this machine online again momentarily and figured install
> it, get my tcp wrappers in order and voila I can get online. The moment I
> was on, I had e-mail attempting to get out and connections attempting to
> come in. I'll say it now, programs like ipchains and ipfilter, really are
> good. By this point I figured that my box had been overly compromised. I
> downloaded RH Linux 8.1 (I've already been asked why I'm sticking with the
> same distro, answer is, let's see how much they've changed).
>
> So, with all the knowledge here, I'd like to ask:
>
> 1) What's the best way to deal with a compromised system?
> 2) I used "find", "awk", "sed", "grep" to aide me with disseminating what
>    happened and what had been changed. Anyone know of a better way?
> 3) I may have missed it, but has there ever been discussion (online or
>    offline) regarding computer security?
>
> ---------
> - [Darth] Snowbeam
>
> "It is not fear that keeps the elephant wary of the mouse, it is his
> wisdom that reminds him not to underestimate his opponent" -me
>
> <-----------------------------snip------------------------------------>
You totally lost me!! I think that this would be a good subject at one of
the meetings.
Security for beginners, and? Why you should? With a step by step view of how
to set it up, and how to configure it for your needs. With an emphasis on
what you need to block off (AKA the total picture) in that list of open
holes! In other words Security for Dummies 101

Just my two cents worth:)

Ron