Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
OK, so you got rooted
Date: December 05, 2009 12:24AM

OK, so you got rooted. You found out because you saw a suspicious root login in your logs, or someone called you complaining about huge amounts of network. You've halted the machine and you've got the hard-drive mounted in a LiveCD VM and you want to know, "how." You kept up-to-date with patches, taking them within hours of coming out. There's no snazzy zero-day exploit lurking on Slashdot.

What are the first things you check? What forensics do you do? Do you take the approach of looking through the filesystem for suspicious things? Spinning up the machine as a virtual machine with network blocked off and looking for suspicious behavior? Try to come up with a reasonable story of what the attacker might have done and start looking there?

I'm really curious to know! My first instincts are logfiles and /tmp, but sometimes they don't have all the information you need.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: OK, so you got rooted
Posted by: thrill
Date: December 05, 2009 09:38AM

chkrootkit

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: OK, so you got rooted
Date: December 07, 2009 04:13AM

So, that tells you once they got in, how they tried to establish control of the machine, but doesn't really tell you much about the attack vector, which you might be more interested in if you have similarly configured machines elsewhere that you're worried about.

This seems like a really hard problem.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: OK, so you got rooted
Posted by: sirdarckcat
Date: December 07, 2009 05:22AM

dump your logs to OSSEC or similar and start having fun

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: OK, so you got rooted
Posted by: thrill
Date: December 07, 2009 08:03AM

Well, you have to start somewhere and by running chkrootkit you might get a pretty good idea of the attack vector. For the most part, rootkits are written to attack a specific vulnerability.

As sirdarkcat pointed out, OSSEC is probably the next step. Have it take a look at everything in /var/log, although if you got rooted and it wasn't by a rootkit and the person was serious about what they were doing, you won't find much there.

There are some forensic 'live cd's' that you can use, but all they do is speed up the process of looking at everything.. the best thing to do is to run something like OSSEC and make sure you log elsewhere. If you only have 2 machines, each machine can be a syslog server for the other.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: OK, so you got rooted
Posted by: thrill
Date: December 07, 2009 11:55AM

And to just state the obvious, you start by looking at the logs of things you are running.. apache, ssh, mail..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: OK, so you got rooted
Posted by: rvdh
Date: December 14, 2009 02:55PM

Tripwire or Aide. Albeit you need to be fast and monitor it daily, it's about continued ownage, so if you detect and stop it you win. You can let it send digests of all system modifications via e-mail, or sms if you feel like to code that up yourself. Looking into your apache logs doesn't do that much when your system is compromised, because they probably didn't come in through an webapplication, and secondly they usually remove logs, at least if they're smart.
I always did.



Edited 2 time(s). Last edit at 12/14/2009 03:03PM by rvdh.

Options: ReplyQuote
Re: OK, so you got rooted
Posted by: thrill
Date: December 14, 2009 07:20PM

Quote

they usually remove logs, at least if they're smart.
I always did.

Ahhh.. the good old days of sanitizing wtmp.. no sireebob.. root NEVER logged on to this machine..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote


Sorry, only registered users may post in this forum.