Computer Forensics

Bradley J. Bartram bradbartram at wycol.com
Mon Mar 18 17:57:28 EST 2002


Here are some random thoughts:

I agree that the only way to truly be confident in the system again is to 
format and reinstall.  Then restore your data from a known good backup.

I can remember on several occasions having to audit a lot of files and 
scripts for clients that did not have proper backups.  In a phrase, it sucks.

Unfortunately, unless there was an intrusion detection system or some sort of 
sniffer capturing traffic to and from the comprmised box, good luck with any 
sure fire forensics.  The best you can hope for is:

1 - The kiddie was sloppy and didn't nuke the logs and;
2 - The kiddie was attacking from its real address.

To get one of those is fairly common (there are a lot of sloppy kiddies out 
there), to get both is almost worthy of miracle status.  :)

Now, if this system was your gateway box, meaning not the cow but the default 
gateway where all your traffic from your internal network and your external 
traffic gets translated, you may have a larger issue on your hands.  Assuming 
this kiddie had root on your gateway, your internal network was also at risk.

If you're on a hub, try running Ethereal or some other promiscuous mode 
sniffer on your internal network for a little while to see if there's any 
nasty activity.  Ethereal, if you're not familiar, captures network traffic 
and outputs it to a nice graphical interface.  Of course you can also use 
tcpdump or snort to do the same thing.  It all depends on how adventurous you 
are.

If you are on a switched network, use DSniff.  It's a little rough to get set 
up with depending on the system, but it's fun to play with.  ;->

This kind of output is daunting at first but in a little while of looking at 
it you'll be able to see all sorts of nice activity.  For example, on my home 
network I have three Linux boxes (Mandrake) and a couple windows 98 systems.  
Most of my traffic consists of SMB, NMB, POP, HTTP and the occasional odd 
protocol I'm working with.  Once you determine what's normal for your 
situation, you can then evaluate if there's anything abnormal.

Some things to look for are IRC servers and such.  This seems to be the most 
popular low-level root kit by product.  You also tend to see DDoS zombies and 
sniffers.  From what was originally described, this is probably what will be 
found as this does not have the calling card of a pro.

One of the more valuable tools in this type of situation is a CD that 
contains several nice runtime tools which are always suspect after a 
compromise:

find, netstat, ls, top, ps, pstree, lsmod, grep

These are just a few but you get the general idea of what to put on a tools 
cd.  The above are most commonly replaced in order to hide the payload of the 
root kit or the services running.

As always, remember these security tenents:

1 - If a hacker cannot find services running on your system, it's infinitely 
more complex to get into.  (One of the principles of a firewall)  In short, 
if you don't need it, turn it off.

2 - Old software is not your friend.  Keep it current with the latest 
security patches.

3 - Passwords can be compromised if they're not secure.  A vast wealth of 
info has been written on password security which I'll not repeat but it's 
worth looking into.

If you remember those three things, your systems will remain yours much 
longer than if you don't.

As a reference I recommend the following books for the security beginner:

Hacking Exposed
Hacking Linux Exposed
Hack Proofing Your Network (has a great section explaining buffer overflows 
and why they are a danger)
www.insecure.org (great links to security related articles)
www.sans.org
of course security focus
www.cert.org
www.microsoft.com (just kidding!)

Well, I've rambled on enough.  Hope my $.02 helps a little.

Brad Bartram


On Monday 18 March 2002 01:55 pm, you wrote:
> there's an artical at
> linuxsecurity.com/feature_stories/data-hiding-forensics.html about ways
> to hide data in such a way that checksums, and md5sums do not matter,
> very interesting read.
>
> if you ask me the only way to deal with a compromised system it to wipe
> it and start from scratch, and restore the content from a "known good
> backup", known good being the key phrase.
>
> this leaves the question, if systems ABC was compromised what about DEF,
> XYZ, and so forth?
>
> Robert Meyer wrote:
> > > So, with all the knowledge here, I'd like to ask:
> > >
> > > 1) What's the best way to deal with a compromised system?
> > > 2) I used "find", "awk", "sed", "grep" to aide me with disseminating
> > > what happened and what had been changed. Anyone know of a better way?
> > > 3) I may have missed it, but has there ever been discussion (online or
> > > offline) regarding computer security?
> >
> > The best way to deal with a compromised system is to start over by
> > formatting the disk and reloading your data from backups (everyone keeps
> > good backups, don't they :-).  One of the problems with compromised
> > systems is that some of the crackers (I don't use the word 'hacker' for
> > criminals) are very good at hiding their tracks.  Some of the best
> > rootkits are real good at getting the original date of the files that
> > they replace and use 'touch' (read the man page) to set the date of their
> > newly installed executables/scripts to be the same as the originals.  The
> > hard part then, is finding out when the system was compromised so you
> > know how far back in your backups to go to get something that wasn't
> > damaged.
> >
> > In general, you'd like to keep two sets of backups if you can.  One
> > backup is a full backup of all of the filesystems that you use to recover
> > the system in the event of a catastrophic failure. The second set is a
> > backup of your data.  If you put data on separate filesystems from the
> > O/S, then you only  need one backup set.
> >
> > A good rule of thumb is to try to keep archived backup sets for at least
> > two years.  You'd be surprised how far back I've had to go to get things.
> >
> > I've never been a fan of trying to 'clean' a compromised system because
> > you can never be sure if you got everything.  There are tools out there
> > that store MD5SUMs of all of the critical files on your system.  You
> > would keep copies of these sums on another machine.  Then if you suspect
> > that a system has been compromised, you could mount the disk with
> > 'sosuid', etc. and check the sums of all of the files.  This takes quite
> > a while (probably more time than a format and restore). You might want to
> > keep spare disks around to restore your system to and then keep the
> > compromised disk around to play forensics games with at your leisure.
> >
> > A great place to look for security information is a place called
> > 'Security Focus' (http://securityfocus.com if you couldn't guess :-).  If
> > you want to get real paranoid, read this site a lot.
> >
> > Now that I've drifted way off the original topic, I'll shut up.
> >
> > Cheers!
> >
> > Bob
> >
> > =====
> > Bob Meyer
> > Knightwing Communications, Inc.
> > 36 Cayuga Blvd
> > Depew, NY 14043
> > Phone: 716-308-8931 or 716-681-0076
> > Meyer_RM at Yahoo.com
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Sports - live college hoops coverage
> > http://sports.yahoo.com/


More information about the nflug mailing list