ERA Computers & Consulting

For All Your Computing Necessities
Home ยป Information

Your System Has Been Cracked, not Hacked!

Document version: 20090208 19:41:35 UTC

A current text copy of this document may be found on the ERACC web site here: http://www.eracc.com/files/been_cracked.txt

Document author: Gene Alexander of ERA Computers & Consulting

Contact ERACC about this document: support at eracc dot com

Your Linux, UNIX, or other computer system has been cracked (not hacked, see bottom). What now?

  1. Disconnect the infected system NOW! Don't wait.
  2. Get all patches for your OS version a.s.a.p. (Now! Today!)
  3. Save the patches to another system / drive / CDR / etc.
  4. BACKUP ANY DATA YOU NEED TO KEEP.
    • (By Pep <PepMozilla@netscape.net> 2001-12-21) Do not include any binary programs in your backup as these may have been compromised. You should re-install binary programs and libraries from their original medium.
  5. Wipe the OS partition / drive clean. (You are unlikely to be able to clean up a compromised system by hand. So, grit your teeth and reformat that sucker.)
    • (By Andreas Braeutigam <abrae@freenet.de> 2002-02-26) (This is not an exact quote but is a paraphrase) Reformat may give the wrong impression that a time consuming format of the entire drive is needed. Rather than reformat the entire drive wipe out the MBR, partition boot sectors root partition and any other partition containing executable files that may be compromised.
  6. Reinstall the OS + apps and restore data to the clean partition / drive.
    • (By Bill Unruh <unruh@physics.ubc.ca> 2001-12-21) Then, scan all of the files which you saved for suid programs: find / -perm +6000 -ls
    • (By Bill Unruh <unruh@physics.ubc.ca> 2001-12-21) Make sure that each of those files which are reported should actually be suid or sgid. If they are system files, check them with: rpm -Vf /name/of/file If they are in your or others home directories, they almost certainly should not be suid, especially not suid root. For example a file in /tmp, or in /usr/share/man should never be suid root.
      • (By Moe Trin <no e-mail given> 2005-10-06) That works with rpm assuming no one has "gotten to" the rpm database. Note that quite a few distributions are rpm based and can use this test. For a Debian based system, use 'debsums -s'.
    • (By Pep <PepMozilla@netscape.net> 2001-12-21) When you restore your backup, check all system configuration files that are restored for any cracks that may have already been incorporated into these files.
    • (By Bill Staehle <withheld on req.> 2002-01-07) Use find / \( -nouser -o -nogroup \) -exec ls -lad {} \; and if anything turns up, determine why the user and/or group is not in /etc/passwd and/or /etc/group. Who really owns those files/directories? What are they?
  7. WHILE OFFLINE or behind a firewall with all services on the PC OFF install all the patches.
  8. Create your own, unique hidden directory and 'cp' files to it that are essential to system maintenance like 'ls', 'netstat', 'route', 'ifconfig', 'ps', etc. (Should you be cracked again, God forbid, as long as you don't have a compromised kernel this will allow you to use these copies to "see" what a cracker may have done.)
    • (By Andreas Braeutigam <abrae@freenet.de> 2002-02-26) I'd rather store those copies on a separate system or a non-writeable medium. [like a CD-R, floppy diskette with write protect on, etc.]
    • (By Pep <PepMozilla@netscape.net> 2001-12-21) Check your final installation to see that all known security bugs have been addressed. There are various utilities that you can get to help with this, such as port scanners; etc.
    • (By Pep <PepMozilla@netscape.net> 2001-12-21) Install some of the security monitors that exist out there. I can't give you the names of all of these but there are monitors like portsentry that constantly scan for connections to your system, also there are other utilities that constantly check your system logs and ones that constantly check the system configuration files for any modifications of content and/or permissions.
    • (By Bill Staehle <withheld on req.> 2002-01-01) [It] would be better if the program files you put into that hidden directory are statically compiled, and not using the possibly corrupted dynamic libraries. It also assumes that the kernel doesn't get messed with. At this time these concerns are not big, but why not stay ahead?
    • (By James Knott <james.knott@rogers.com> 2002-01-02) Mount as much of your filesystem as possible as read only. If the crackers can't write to a partition, they can't change it. Rename and hide su etc. [as suggested in 8].
  9. Then, and only then, set the box up to get online.
  10. (By Pep <PepMozilla@netscape.net> 2001-12-21) Finally, design and implement a regular backup procedure, something you should already have done, so that you can limit any future problems you might have with your system, whether from cracking; bad configuration; system failure or simply bad users.
    • (By Bill Staehle <withheld on req.> 2002-01-01) [For further security] you could have another system sitting off a separate network, that randomly grabs a file off of this box, and does a file comparison externally. If that other system is not accepting ANY connections from ANYWHERE, it makes a better intrusion detection system.

What if you have only one machine with one OS installed? You still need to disconnect, backup and reinstall. To get the patches ask a friend or acquaintance with a secured system to help download the patches. Or see if your OS vendor offers the current patches on CD. If so, order it. For further reference see the comp.os.linux.security FAQ: http://www.linuxsecurity.com/docs/colsfaq.html

Finally, if all this is too much for you to handle alone consider hiring an expert to assist you or to do it for you. However, be aware hiring a consultant that is able to help will probably not be inexpensive. For Linux and UNIX consultants in your area check These:

http://aplawrence.com/consultants.html
https://www.redhat.com/apps/reseller_catalog/

(Following FTP information By Bill Staehle <withheld on req.> 01-07-2002)

ftp://metalab.unc.edu/pub/Linux/
ftp://ftp.oss.cc.gatech.edu/pub/linux
ftp://ibiblio.org/pub/Linux

Those are anonymous FTP servers. Log in as anonymous, with your e-mail address as password, and change to the indicated directory. Look for the file "MIRRORS" to find a list of other servers that may be more accessabhle to you. Then continue down from this directory to ./docs/linux-doc-project/linux-consultants-guide/ and get one of the versions of the Consultants-Guide:

  • Consultants-Guide.html.tar.gz
  • Consultants-Guide.pdf
  • Consultants-Guide.pdb
  • Consultants-Guide.ps.gz
  • Consultants-Guide.txt

Or in the event those FTP sites no longer have the documents mirrored look here: http://www.commandprompt.com/community/consultants/guide

Certified or Authorized resellers and/or consultants should be able to assist you. A certification or authorization is not a true indicator of ability as so many pointy-haired-bosses seem to believe (http://www.dilbert.com/). With or without a certification those well versed in Linux and/or UNIX are usually capable of handling the "lesser OS's" as well.

Finally, NEVER use the word "hacking" to describe "cracking" as there is a significant difference between a "cracker" and a "hacker". See:

http://www.catb.org/~esr/jargon/html/C/cracker.html
http://www.catb.org/~esr/jargon/html/H/hacker.html

Most of all Good Luck!

If you find any of the documents on our information pages useful please make a secure donation to help us defray the cost of our bandwidth to provide these documents. Thank you.

paypal