Bill Jonas on Mon, 15 Jul 2002 06:00:08 +0200

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] how to tell which process binds to which port?

On Sun, Jul 14, 2002 at 05:25:50PM -0500, Sean Finney wrote:
> if you find someone logging in to your box, a little wall message
> should scare them off, and you'll know where they came from to boot. 

Not if you value your data.  If you *must* do this, back up anything you
want to save *first*.  If any valuable (for varying amounts of value)
data is backed up, you've nothing to lose since you're going to
reinstall anyway.  I'd also recommend backing up the logs if you want to
go digging through them, and the whole system if you want to attempt a
post-mortem.  (There are some software packages that will attempt to
reconstruct what happened by looking at the atime of the files.  I don't
know that tar saves this, though; I don't believe it does.  You'd want
to back up filesystem images (dd the disk) to be sure of saving all the

Rationale: See, the first thing this black-hat (assuming that your
system *has* been compromised) is going to think when they see your
message is, "Oh <expletive>, I've been caught."  The second thing is,
"How can I cover my tracks?"  The most expedient answer is a quick "rm
-rf /".

Another thing to consider is that unless you can babysit the machine
24/7 until you see your intruder back on the system, it's really quite
irresponsible to leave the compromised system running.  It can be used
as a platform to crack other systems, in which case the intrusion
attempts would get traced back to you, a platform for DDoS attacks, FTP
server for warez/kiddie porn/etc, or who knows what else.  Legally,
you're responsible for what's done with your machine; and while some
leeway might be given if the system was being used by an unauthorized
intruder, I would think that none would be given for a case of "the
system was compromised but I was trying to catch this guy in the act and
make him wet his pants".  (Jon, Arthur, any thoughts?)  It's about being
a good neighbor on the 'Net.

> if you are hacked, you could also a) just re-install from scratch, and/or 
> b) report the hacker to their isp.  i think neither of those would be
> nearly as gratifying though :)

Better yet: Do both of the above, and, if you must, your suggestion too
(taking the proper precautions first).

> i'd recommend getting on another machine, and re-compiling your
> shell-utils, base-utils, et cetera packages as static binaries, and
> then use those to investigate.

Yes, very good advice.  Don't make the mistake, though, of trying to
salvage the installation; it's almost certainly less work and definitely
less error-prone to reinstall than to take every step to be absolutely
sure that the machine has been cleaned.  (Perhaps, unless, you've
planned ahead for this by e.g., using tripwire.  But even in that case,
I'd personally still go the reinstall route.)

Bill Jonas    *    *
"They that can give up  essential  liberty to obtain a little temporary
safety deserve neither liberty nor safety."        -- Benjamin Franklin

Attachment: pgpfd0mw9CeAI.pgp
Description: PGP signature