Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 41)

end. Remember though such changes may not be "visible" to any system tools.

Sometimes the intruder is not so smart and forgets about root's .bash_history, or cleaning up log entries,

or even leaves strange, leftover files in /tmp. So these should always be checked too. Just don't necessarily

expect them to be accurate. Often such left behind files, or log entries, will have obvious script kiddie

sounding names, e.g. "r00t.sh".

Packet sniffers, like tcpdump (http://www.tcpdump.org), might be useful in finding any uninvited traffic.

Interpreting sniffer output is probably beyond the grasp of the average new user. snort (http://www.snort.org),

and ethereal (http://www.ethereal.com), are also good. Ethereal has a GUI.

As mentioned, a compromised system will undoubtedly have altered system binaries, and the output of

system utilities is not to be trusted. Nothing on the system can be relied upon to be telling you the whole

truth. Re−installing individual packages may or may not help since it could be system libraries or kernel

modules that are doing the dirty work. The point here is that there is no way to know with absolute certainty

exactly what components have been altered.

We can use rpm −Va |less to attempt to verify the integrity all packages. But again there is no assurance

that rpm itself has not been tampered with, or the system components that RPM relies on.

If you have pstree on your system, try this instead of the standard ps. Sometimes the script kiddies forget

about this one. No guarantees though that this is accurate either.

You can also try querying the /proc filesystem, which contains everything the kernel knows about

processes that are running:

# cat /proc/*/stat | awk '{print $1,$2}'

This will provide a list of all processes and PID numbers (assuming a malicious kernel module is not hiding

this).

Another approach is to visit http://www.chkrootkit.org, download their rootkit checker, and see what it says.

Some interesting discussions on issues surrounding forensics can be found at http://www.fish.com/security/.

There is also a collection of tools available, aptly called "The Coroner's Toolkit" (TCT).

Read below for steps on recovering from an intrusion.

6.3. Reclaiming a Compromised System

So now you've confirmed a break−in, and know that someone else has root access, and quite likely one or

more hidden backdoors to your system. You've lost control. How to clean up and regain control?

There is no sure fire way of doing this short of a complete re−install. There is no way to find with assurance

all the modified files and backdoors that may have been left. Trying to patch up a compromised system risks

a false sense of security and may actually aggravate an already bad situation.

Security Quick−Start HOWTO for Red Hat Linux

6.3. Reclaiming a Compromised System 38

1 2 ... 36 37 38 39 40 41 42 43 44 45 46 ... 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 41