To Catch a Hacker

In the unhappy event that hackers crack your network, how should you repair the damage? What can you do to ensure the event is never repeated? Should you contact the authorities?

[April 6, 2000]

On the ISP-Security list in January, JPM asked for guidance in tracking down a hacker:

"Our ISP was hacked by an individual who launched numerous Denial of Service (DoS) attacks, totally ruined our mail server, hacked other ISPs from the server, and took out our router configuration. The bash history survived. Everything is almost back to normal, but we need help finding this guy. What do we do next?"

 

One respondent expressed doubt about the surviving bash history:

[RP wrote] "The problem with a bash log is that while it tells you what they did, it probably doesn't give you any info on where they were from or who they are. If they used the FTP to get to anything, that is a good clue and should be in the history as an 'arg.'"

[MH had additional reservations] "You wouldn't trust a binary left by the attacker; don't trust a log either. It could be a fake left there to mislead you, or the log might show six Trojans planted while three others were left out of the logs."

Plenty of folks had ideas about what to do:

[DR suggested] "Your best bet would be to start the server over from scratch."

[MH, however, warned] "Trying to fix a hacked system destroys confidence in the system evidence if the case ever goes to court. The best plan is to pull out the hard drives, replace them with new ones, reinstall, and try to get your systems back online. It is important to figure out what went wrong, but step lightly during your post mortem on the routed systems."

Other respondents offered prevention advice:

[GM wrote] "I'd suggest installing Psionic Software's Port Sentry. It'll detect Portscan and can block all traffic from the hacker's IP address."

[JL had another solution] "Unless you want to totally lock down your box, I suggest writing a quick script using md5sum(1). Then exchange all of your suid binaries for ones that you know are absolutely safe, and take a checksum of them. Have it run at boot or at various times during the day so you can feel a little bit safer."

A number of list members stressed the need to read up on security issues:

[V wrote] "To help prevent future attacks, read all the CERT advisories you can. They are quite aware of the newest exploits and attacks that many hackers use."

[RW countered] "While CERT advisories are great sources of information, they're usually a bit old by the time they're issued; a couple of weeks can be a long time in this situation. Subscribe to SecurityFocus.com's Bugtraq list."

[Ed. Note: Security Focus offers a number of online security-related tools, articles and information.]

A side discussion sprung up on the issue of contacting law enforcement:

[RP wrote] "If you can identify the system, contact the system administrator to let them know they are being used. They may be able to track the hacker on their outgoing ftp logs. Or hand the information to the FBI. "

[JL replied] "Contacting the FBI will be a waste of time. If this hacker had half a clue he'd have used loadable kernel modules to hide his activities."

[TJ countered] "Contacting the FBI about a hacker that cracked into ISP's and is doing DoS attacks against others is a waste of time? That's not what the local FBI office told me when I contacted them about security breaches at more than one site. They were very interested."

—End