[SunHELP] Tracking Hacker ?

Ben Ricker sunhelp at sunhelp.org
Thu Apr 26 10:07:24 CDT 2001 

I am surprised no one has mentioned step one: get that machine off the
network. As someone pointed out, the hacker may be hacking other
machines onyour network like crazy. Keeping the machine on the network
is just plain crazy talk. What if they get other machines from the
company you are piggy backing on and they boot you? What if the hacker
commits a more serious crime using your machine as a staging machine?
Get it off the network and wipe that puppy. 

Ben Ricker
System Administrator
US-Rx, Inc.

On 26 Apr 2001 08:01:36 -0700, Justin Brodeur wrote:
> I know this is a little late coming to the discussion and it probably
> doesn't matter anyway, but before you reboot the machine or do anything to
> it (which i'm sure you've already done something to it), you might want to
> grab lsof from sunsite and run that and see if there is anything strange
> running. I remember one job I was doing the perp used a trojan but hid it
> with a hacked version of ps and other system utilities, but when I ran
> lsof low and behold there was his sniffer, plugging away in the
> background. Just another thing to think about.
> 
> Justin
> 
> 
> On Wed, 25 Apr 2001, James Fogg wrote:
> 
> > I finally had time to read your message more thoroughly.
> > 
> > It does appear as if the perp could have some sophistication. You need to
> > consider some painfull possibilities.
> > 
> > 1) binaries on your SS5 may have been replaced with trojans that will allow the
> > intruder to access your system for all sorts of reasons. Some trojans can
> > instantly re-enable the intruders access no matter how you dissallow it. The
> > only solution is to wipe the drive and re-install. Don't trust anything on the
> > machine (other than a pure text file).
> > 
> > 2) The SS5 may have been/is being used as a jumping-off point to access
> > machines within your company. This could be especially true if your SS5 is
> > trusted by machines within the company or by a firewall (at first I assumed from
> > your post you have no firewall, but maybe the SS5 is in a DMZ). If you run or
> > use NFS, run as fast as you can and shoot the machine (weapon of choice, a
> > smooth-bore cannon).
> > 
> > 3) Since the intruder has dropped a clue, any malicious activitiy has probably
> > already been completed.
> > 
> > 4) Check and see if any unexplained processes are running. The intruder may be
> > using you as a platform to attack another site, or run a bot in IRC. If you run
> > sendmail, the intruder may have used you to send tons of spam.
> > 
> > 5) If you have the skills, run a packet analyzer. Ethereal is an excellent
> > choice :=). If you can, run snoop (Solaris) or tcpdump (Linux) on a different
> > machine inside the company network (to look for other activity). The logs from
> > these programs can be interpreted by Ethereal (COOL, a remote control
> > sniffer!). Even if you cannot decipher the output completely, Ethereal will
> > annotate the info in a way most people can read. Examine anything you don't
> > recognize. The analysis will help you know if the intruder is still active.
> > 
> > Good luck, a post-mortem is never fun.
> > btw... does the boss know yet?
> > 
> > On Tue, 24 Apr 2001, THOU SPAKE:
> > > Hello Sun Admin's,
> > > 
> > > I logged into my SPARCstation 5 tonight (which runs Solaris 8) and a
> > > message of "you been hacked" was on my screen.  Someone some how gained
> > > root access and put that in my /etc/motd file.  I noticed it was last
> > > modified APRIL 24 at "18:52" so I did a last -10 to see who had been on.
> > > Apparently they covered up their tracks because it only showed MY logins
> > > and NO logins around the time this happened.  The only other guy who has
> > > root access to this system is on his way home from Denver, CO and has NO
> > > ACCESS to the net right now.
> > > 
> > > Which steps can be taken to find out who had done this or at least how
> > > they got in?  
> > > 
> > > None of my log files in /var/log have any clue.. /var/adm/messages would
> > > have had something but everything was removed from the time it happend and
> > > before.  
> > > 
> > > ANY IDEA's that can help me are **GREATLY** appreciated.  After this had
> > > happened, I also checked my inetd.conf and probably should have shut down
> > > basically ALL ports before hand because the only access anyone needs to
> > > this is RARELY ftp and mostly ssh.  Thank you!
> > > 
> > > 
> > > 
> > > Jeff Feller
> > > 
> > > _______________________________________________
> > > SunHELP maillist  -  SunHELP at sunhelp.org
> > > http://www.sunhelp.org/mailman/listinfo/sunhelp
> > -- 
> > =======================================================
> >      James D. Fogg, Network Engineer
> >     Vicinity Corporation - Lebanon, NH
> > 
> >      DESK (603) 442-1751 - CELL (603) 252-1864
> >      PAGER (802) 742-0280 - HOME (603) 526-7729
> >             EMAIL jfogg at vicinity.com
> > =======================================================
> > _______________________________________________
> > SunHELP maillist  -  SunHELP at sunhelp.org
> > http://www.sunhelp.org/mailman/listinfo/sunhelp
> > 
> > 
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp

More information about the SunHELP mailing list