UNIX Postmortem

1
UNIX Postmortem

• Mark Henman

2
Introduction

• For most system administrators, there is no
  question that at some point at least one of their
  systems is going to be hijacked by someone else.
  
• This presentation should provide enough
  information to help an administrator quickly and
  successfully recover from an attack.

3
Discovery

• Realize that youve been hacked
• Tools
• Observation

4
Realize that youve been hacked

• Crackers use to make themselves known quickly
• Web site defacing
• Todays crackers hide
• Hijacked machine market

5
Tools

• seccheck
• chkrootkit
• Tripwire
• Snort
• Use more than one form of intrusion detection.
• Watch for intruders inside and out.

6
Trust Nothing!

• Files may have been replaced
• Binaries
• Shared Libraries
• Kernel

7
Trust Nothing!

• Disconnect the Network
• Shutdown the system
• Boot from a trusted hard drive
• Mount compromised file systems without execute
  permissions

8
Examining The System

• Log Files
• Changed system executables
• Shared libraries
• Viewed files
• Back doors
• Other network accessible systems

9
System Restoration

• Backup user data
• Check for alterations
• Re-install the Operating System
• Restore user data

10
Follow-up

• Harden the system against attack
• Check for abnormal behavior
• Bring the system back into service
• Monitor the log files

11
Conclusion

• Dont panic!
• Isolate quickly
• Examine slowly and carefully
• Protect the system from a repeat attack

12
Where to Get More Information

• www.snort.org
• www.tripwire.org
• www.chkrootkit.org
• www.sans.org