More often than not, when your machine has been the victim of a cracker’s attack, the best solution is to completely reinstall the operating system, being sure to apply all relevant patches to the machine. In other words, go to your software vendor’s website and double-check all of the security announcements and patches… you may have been hit by a brand new exploit. I have many times been asked if a complete reinstall is absolutely necessary. The short and simple answer is “yes”.
Once a machine has been compromised, there is virtually no way to know everything that a cracker did during the time that he/she had access to your machine. You cannot be 100% sure that your IDS (Intrusion Detection System) and/or file integrity checker were not compromised. You cannot be 100% sure that the tools you would normally use to check out your system have not been compromised (to hide information from you) or Trojaned. As comfortable as you may be with your respective systems, there is almost no way to be able to assess the damage 100% and still be able to get the machine back online in the shortest possible time. Unless the machine that was attacked is a “honeypot”, getting that machine back online ASAP is going to be your priority, isn’t it?
A honeypot is a machine that is left on a network (usually the internet) designed to attract crackers. This machine will not actually have any services being run for any purpose other than attracting crackers. Usually, the people running a honeypot are simply trying to determine the latest tools and techniques that crackers are using.
There are dozens, if not hundreds or thousands of ways a cracker can leave a machine open and waiting for their return. The easiest is probably to create a user account. Many times the new user account will even have a name similar to an existing system or user account (i.e. toor, fpt, etc. in place of root, ftp, etc.). This is done to avoid discovery by a lazy or overworked system administrator.
The problem with user accounts is that they should be pretty easy to find. Which brings me to another point. Many discoveries that you will make on a compromised machine may just be distractions or “slight of hand” tricks.
I have heard of many instances where a honeypot was attacked and the operators of the honeypot kept observing the attack. Once the attacker realized that they had been discovered, he/she would do a few obvious things to the system, such as add a user account or change the timestamp on a password file. This way, the unwary system administrator would find a couple of decoys and not ever see what the cracker had really accomplished.
Trojans, and/or their more evolved brethren, rootkits, are almost always installed on a compromised machine. A perfect Trojan (i.e. a Trojan that leaves no evidence of its existence) would not require any additional software to be installed, however there is no such thing as a perfect Trojan. Trojans will generally leave ports open that can be used to identify them. Otherwise, Trojans have signatures (for lack of a better term) that will usually make them fairly easy to find, if you know what you are looking for. Again, a good file integrity checking software can be a lifesaver under these circumstances.
Rootkits are used by crackers to maintain access to machines that have been compromised. These kits are usually made up of modified versions of normal system binaries. It is for these types of attacks that you should be running some type of intrusion detection software that does file integrity checking, such as Tripwire. You can find out more about Tripwire here and here…
Keep in mind that Tripwire is useless to you once a machine has been compromised. If you did not have Tripwire or something similar installed on the machine prior to the attack, it is not going to provide you with any useful information.
Depending on the rootkit that may have been installed, other parts of the system may be compromised. You can bet on your logs being compromised along with most logging binaries, including syslog. For more information on rootkits, check here and here…
Rootkits are generally used against Unix systems and their derivatives, such as Linux and the *BSDs. There are plenty of easier to use Trojans available for attacking Windows systems (let’s face it, a percentage of Microsoft users will open about any email attachment that is sent to them). Which brings me to another interesting point. Very rarely is your machine targeted for an attack for any other reason than it had a vulnerability exposed. Usually, script kiddies are behind most attacks. They will scan entire blocks of IP addresses looking for a single machine to run an exploit on.
If you suspect that your system has been compromised with a rootkit, you can find more information here…
In conclusion, if your machine has been compromised, you should reinstall the operating system and apply all of the latest patches. If the version of the operating system that you are using is out-dated, this may be the time to consider an upgrade. The most important thing to keep in mind if you really want to save time is, reinstall the operating system. There are too many holes that could have been left open after an attack for you to be able to reliably find them all. It takes a lot less time to reinstall once (followed by patching and locking down the system) than it is to keep fixing damage that is the result of attacks that were only possible because you missed one little binary….
Jay Fougere is the IT manager for the murdok network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@https://murdok.org.
