| Bill Jonas on Mon, 15 Jul 2002 06:00:08 +0200 |
|
On Sun, Jul 14, 2002 at 05:25:50PM -0500, Sean Finney wrote: > if you find someone logging in to your box, a little wall message > should scare them off, and you'll know where they came from to boot. Not if you value your data. If you *must* do this, back up anything you want to save *first*. If any valuable (for varying amounts of value) data is backed up, you've nothing to lose since you're going to reinstall anyway. I'd also recommend backing up the logs if you want to go digging through them, and the whole system if you want to attempt a post-mortem. (There are some software packages that will attempt to reconstruct what happened by looking at the atime of the files. I don't know that tar saves this, though; I don't believe it does. You'd want to back up filesystem images (dd the disk) to be sure of saving all the information.) Rationale: See, the first thing this black-hat (assuming that your system *has* been compromised) is going to think when they see your message is, "Oh <expletive>, I've been caught." The second thing is, "How can I cover my tracks?" The most expedient answer is a quick "rm -rf /". Another thing to consider is that unless you can babysit the machine 24/7 until you see your intruder back on the system, it's really quite irresponsible to leave the compromised system running. It can be used as a platform to crack other systems, in which case the intrusion attempts would get traced back to you, a platform for DDoS attacks, FTP server for warez/kiddie porn/etc, or who knows what else. Legally, you're responsible for what's done with your machine; and while some leeway might be given if the system was being used by an unauthorized intruder, I would think that none would be given for a case of "the system was compromised but I was trying to catch this guy in the act and make him wet his pants". (Jon, Arthur, any thoughts?) It's about being a good neighbor on the 'Net. > if you are hacked, you could also a) just re-install from scratch, and/or > b) report the hacker to their isp. i think neither of those would be > nearly as gratifying though :) Better yet: Do both of the above, and, if you must, your suggestion too (taking the proper precautions first). > i'd recommend getting on another machine, and re-compiling your > shell-utils, base-utils, et cetera packages as static binaries, and > then use those to investigate. Yes, very good advice. Don't make the mistake, though, of trying to salvage the installation; it's almost certainly less work and definitely less error-prone to reinstall than to take every step to be absolutely sure that the machine has been cleaned. (Perhaps, unless, you've planned ahead for this by e.g., using tripwire. But even in that case, I'd personally still go the reinstall route.) -- Bill Jonas * bill@billjonas.com * http://www.billjonas.com/ "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin Attachment:
pgpfd0mw9CeAI.pgp
|
|