System Recovery Guide
LinuxAid Ni-ZhiQiang
Introduction
This article mainly describes how to deal with UNIX or NT system intrusion.
Note: All your steps during system recovery should be consistent with the network security policy of your organization.
A. Preparations
1. discuss security policies
If your organization does not have its own security policy, follow these steps:
1. Negotiate with management personnel
Notifying management personnel of intrusion incidents may be important in some organizations. When be aware recovers an accident, the network administrator can get the cooperation of internal departments. We should also understand that intrusion may attract media attention.
. Negotiate with legal counsel
Before starting your recovery, your organization needs to decide whether to conduct legal investigations.
Note that CERT (Computer Emergency Response Team) only provides technical help and increases the responsiveness of network hosts to security events. They do not provide legal advice. Therefore, we recommend that you consult your own legal counsel for legal issues. Your legal counsel can tell you the legal liabilities (civil or criminal) and related legal procedures that intruders should bear.
Now, it is time for you to decide how to handle this accident. You can enhance the security of your system or choose to issue alerts.
If you want to find out who the intruders are, it is recommended that you negotiate with the management personnel and consult the Legal Counsel to see if the intruders have violated local or national laws. Based on this, you can report the case and check whether the police are willing to investigate the case.
For intrusion incidents, you should discuss the following issues with management personnel and Legal Counsel:
If you want to track intruders or network connections, will it violate the law.
If your website is aware of intrusion but does not take measures to prevent it, what legal liability should you take.
Whether the intruders violate national or local laws.
Whether investigation is required.
Whether an alarm should be triggered.
1. 3. Alarm
Generally, if you want to conduct any type of investigation or prosecute intruders, it is best to discuss the following with the Administrator and legal counsel. Then inform the relevant law enforcement agencies.
Remember that, unless the law enforcement department participates, all your tracking of intruders may be illegal.
. Notify other relevant personnel
In addition to managers and legal advisers, you also need to notify people whose recovery may affect, such as other network administrators and users.
2. Record all steps in the recovery process
It is no exaggeration to say that it is very important to record every step you take during the recovery process. Restoring an intruded system is a very troublesome task and takes a lot of time. Therefore, it often makes some hasty decisions. Recording each step of your work can help you avoid making hasty decisions, and you can leave it for future reference. Records may also help with legal investigations.
B. regain control of the system
1. Disconnect the compromised system from the network
To regain control of the compromised system, you need to disconnect it from the network, including the broadcast number connection. After disconnection, you may want to enter the single-user mode of the UNIX system or the local administrator mode of the NT to regain control of the system. However, restarting or switching to the single-user/local manager mode will lose some useful information, because all processes currently running in the system will be killed.
Therefore, you may need to go to C.5. check the network sniffer section to check whether the intruded system has a network sniffer running.
During system recovery, if the system is in UNIX single-user mode, it will prevent users, intruders and intrusion processes from accessing the system or switch the running status of the host.
If the system and network are not disconnected during the recovery process, intruders may connect to your host and disrupt your recovery.
2. Copy an image that is intruded into the system
Before performing intrusion analysis, we recommend that you back up the compromised system. You may need it later.
If there is a hard disk of the same size and type, you can use the UNIX Command dd to copy the intruded system to the hard disk.
For example, in a Linux system with two SCSI hard disks, the following command backs up hard disks of the same size and type (/dev/sdb) copy an exact copy that is intruded into the system (on the/dev/sda disk.
# Dd if =/dev/sda of =/dev/sdb
Read the dd command manual to obtain more detailed information about this command.
There are also some other methods to back up the compromised system. There are no built-in commands similar to dd in the NT system. You can use some third-party programs to copy the entire hard disk image infiltrated into the system.
It is very important to create a backup. You may need to restore the system to the status when it is detected. It may be helpful for legal investigations. Record the volume label, marker, and date of the backup and save it to a safe place to maintain data integrity.
C. Intrusion Analysis
Now you can review the log file and system configuration file to check the clues of intrusion, the system modification by intruders, and the vulnerability of system configuration.
1. Check for system software and configuration file modifications by intruders
A. Verify all binary files in the system
When checking whether intruders modify system software and configuration files, remember that the verification tool you are using may have been modified, and the operating system kernel may have been modified, this is very common. Therefore, we recommend that you use a trusted kernel to start the system, and all the analysis tools you use should be clean. For UNIX systems, you can create a boot disk and write protection for it to obtain a trusted operating system kernel.
You should thoroughly check all system binaries and compare them with the original release media (such as a CD. Because a large number of Trojan horse binary files have been found, attackers can install them in the system.
On UNIX systems, the following binary files are usually replaced by Trojans: telnet, in. telnetd, login, su, ftp, ls, ps, netstat, ifconfig, find, du, df, libc, sync, inetd, and syslogd. In addition, you also need to check all files referenced by the/etc/inetd. conf file, important network and system programs, and shared library files.
On the NT System. A Trojan horse can usually spread viruses or so-called "remote management programs", such as Back Orifice and NetBus. A Trojan horse replaces some system files that process network connections.
Some trojan programs have the same timestamp and sum check value as the original binary file. The Checksum cannot determine whether the file is modified. Therefore, for UNIX systems, we recommend that you use the cmp program to directly compare the binary files in the system with the files on the original release media.
You can also choose another method to check suspicious binary files. Ask the supplier for the MD5 checksum of the released binary file, and then use the MD5 checksum to check the Suspicious Binary file. This method applies to UNIX and NT.
B. Verify the System Configuration File
In UNIX systems, you should perform the following checks:
Check for suspicious users in the/etc/passwd file
Check whether the/etc/inet. conf file has been modified.
If your system allows the use of r commands, such as rlogin, rsh, and rexec, you need to check the/etc/hosts. equiv or. rhosts file.
Check the new SUID and SGID files. The following command prints out all SUID and SGID files in the system:
# Find/(-perm-004000-o-perm-002000)-type f-print
For NT, You need to perform the following checks:
Check unpaired users and group members
Check whether the registry entry of the enabled logon or service program is modified.
Check the unauthenticated hidden files shared by the "net share" command and server management tool.
Check the processes that are not recognized by the pulist. ext program.
2. Check the modified data
Intruders often modify data in the system. Therefore, we recommend that you verify the web page files, ftp archive files, files in the user directory, and other files.
3. Check the tools and data left by intruders
Intruders usually install some tools in the system to continue to monitor the compromised system.
Intruders usually leave the following types of files in the system:
Network sniffer
Network sniffer is a tool program that monitors and records network operations. Intruders usually use the network sniffer to obtain the user name and password for transmission in plain text on the network. (See C.5)
Sniffing is more common in UNIX systems.
Trojan Horse program
A Trojan program can execute a certain function on the surface, but actually execute another function. Therefore, intruders can use the Trojan Horse program to hide their behaviors, obtain user name and password data, and create a backdoor to access the system in the future.
Backdoor
The backdoor program hides itself in the compromised system, and intruders can pass the system verification without passing through the normal system verification. They do not need to use the security defect attack program to access the system.
Security defect attack program
Software with security defects in system operation is a major cause of intrusion. Intruders often use attack tools against known security defects to gain illegal access to the system. These tools are usually stored in a hidden directory in the system.
Other tools used by intruders
The list above does not cover all intrusion tools. Attackers may leave other intrusion tools in the system. These tools include:
System Security defect detection tools
Scripts for launching large-scale detection on other sites
Tools used to initiate DoS Attacks
Programs that intrude into host computing and network resources
Intrusion Tool Output
You may find some log files left by the intrusion tool program. These files may contain other websites involved, security defects exploited by attackers, and security defects of other sites.
Therefore, we recommend that you thoroughly search the system and find out the tools listed above and their output files. Note: during the search process, you must use a search tool that has not been modified by attackers.
Search can be concentrated in the following areas:
Check for unexpected ASCII files in the UNIX/dev/directory. The configuration files used by some trojan files are usually in the/dev directory.
Carefully check the hidden files and directories in the system. If an intruder creates a new account in the system, the initial directory of the new account and the files it uses may be hidden.
Check some directories and files with very strange names, such as:... (three points),... (two points) and blank (in UNIX systems ). Intruders usually hide files in such directories. For NT, check the directories and files whose names are very close to some system file names.
4. Review System Log Files
Review your system log files in detail to learn how the system is intruded, what operations the attacker has performed during the intrusion, and what remote hosts have accessed your host. With this information, you can have a clearer understanding of intrusion.
Remember: any log files in the system may have been modified by intruders.
For UNIX systems, you may need to view/etc/syslog