June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
9.41. Recovering from a Hack
Problem
Your system has been hacked via the network.
Solution
Think. Don’t panic.
Disconnect the network cable.
Analyze your running system. Document everything (and continue documenting as you go). Use the techniques described in this chapter.
Make a full backup of the system, ideally by removing and saving the affected hard drives. (You don’t know if your backup software has been compromised.)
Report the break-in to relevant computer security incident response teams. [Recipe 9.42]
Starting with a blank hard drive, reinstall the operating system from trusted media.
Apply all security patches from your vendor.
Install all other needed programs from trusted sources.
Restore user files from a backup taken before the break-in occurred.
Do a post-mortem analysis on the original copy of your compromised system. The Coroner’s Toolkit (TCT) can help determine what happened and sometimes recover deleted files.
Reconnect to the network only after you’ve diagnosed the break-in and closed the relevant security hole(s).
Discussion
Once your system has been compromised, trust nothing on the system. Anything may have been modified, including applications, shared runtime libraries, and the kernel. Even innocuous utilities like /bin/ls may have been changed to prevent the attacker’s tracks from being viewed. Your only hope is a complete reinstall from trusted media, meaning your original operating system CD-ROMs or ISOs.
The Coroner’s Toolkit (TCT) is a collection of scripts and ...