[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Server Hacked

On Fri, Aug 19, 2005 at 10:02:23AM -0700, Brian C wrote:

> Anyway, this is getting even more off-topic.

Yes, the group alt.computer.security, for instance, might be a better
choice for continuing this discussion.

> I'm still sort of surprised that this group of what I thought was fairly
> skilled developers hasn't provided one link or suggestion on how best to
> 1) identify the vulnerability exploited on a hacked server or 2)
> identify the likely perpetrator of a defacement. Searching around I find
> lots about how to prevent hacks in the first place but very little
> that's helpful in dealing with it once it's happened.

What you should have done is set up a proper IDS (Intrusion Detection
Service) on your system prior to the compromise.  Examples of IDS
systems are integrit, aide, and samhain, all of which are in the
Debian packages.  I see that bsign and harden-nids are also in
packages, and might be relevant, and there might be other packages
that other posters might suggest.  I use integrit, and chose it
because it looked like it would be easy to use.

If you had used an IDS, you would at least be able to determine what
software is compromised,  This would be helpful to you in working on
the much more difficult questions of 1) and 2) above.  Without that
information, it is hard for you to even get started.

After re-installing, I'd suggest that you start using an IDS system.