[PLUG] Questions regarding compromised system

Keith Lofstrom keithl at kl-ic.com
Fri Jan 19 16:41:32 UTC 2007 

Off the list.


On Thu, Jan 18, 2007 at 12:49:56PM -0800, David Mandel wrote:
...
> Ok, so what is going on?

You may have to google for the particular set of exploits.  I've
never seen those.  Much of what happened depends on the security
hole they came in through.   Is there a recent backup image of
the machine, allowing you to do a file-by-file comparison?

Lots of questions need answering, like what distro, how recently
upgraded, how many legitimate users, etc., but those would be best
answered offline.


> I know I have been compromised and will have to figure out a way to
> rebuild the system which isn't easy given the location of the machine.

Operators are standing by.  Where is the machine?  The easiest way
to do this is to replace the hard drive with a rebuild;  perhaps we
can help with that, both with physical access and with building the
next one a little less vulnerable.  Forensics on the old hard drive
would be very valuable - don't erase it! - save it as is, corrupted,
and later it can be mounted non-executable read-only on another machine
for analysis.

The newer setup should have file integrity monitoring.  Of course,
I need to set that up for my outside server, I have been lax myself.
Another project.


> However, I would really like to know how I was compromised so I can
> prevent it in the future.  At the moment, I'm looking at my log files,
> but I haven't found much useful information - except that I'm very
> suspious of a machine with ip=81.181.170.26.  It is in Romania.

And the bad guy may be a few machines behind that.  


> Is this a well known event that every security person knows about?
> I don't claim to know anything about computer security - well, just
> enough to get by - usually - but not today.

You have high visibility, and the system cracker may have gone after
you to show off.  The twit may be reading the plug list.  If so,
perhaps he will do something more productive with his useless life,
like get simultaneous AIDs, leprosy, and bone cancer, and die in
some rat-infested alley.  

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs

More information about the PLUG mailing list