1 / 12

UNIX Postmortem

UNIX Postmortem. Mark Henman. Introduction. For most system administrators, there is no question that at some point at least one of their systems is going to be hijacked by someone else.

laszlo
Download Presentation

UNIX Postmortem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UNIX Postmortem Mark Henman

  2. Introduction For most system administrators, there is no question that at some point at least one of their systems is going to be hijacked by someone else. This presentation should provide enough information to help an administrator quickly and successfully recover from an attack.

  3. Discovery • Realize that you’ve been hacked • Tools • Observation

  4. Realize that you’ve been hacked • Crackers use to make themselves known quickly • Web site defacing • Today’s crackers hide • Hijacked machine market

  5. Tools • seccheck • chkrootkit • Tripwire • Snort • Use more than one form of intrusion detection. • Watch for intruders inside and out.

  6. Trust Nothing! • Files may have been replaced • Binaries • Shared Libraries • Kernel

  7. Trust Nothing! • Disconnect the Network • Shutdown the system • Boot from a trusted hard drive • Mount compromised file systems without execute permissions

  8. Examining The System • Log Files • Changed system executables • Shared libraries • Viewed files • Back doors • Other network accessible systems

  9. System Restoration • Backup user data • Check for alterations • Re-install the Operating System • Restore user data

  10. Follow-up • Harden the system against attack • Check for abnormal behavior • Bring the system back into service • Monitor the log files

  11. Conclusion • Don’t panic! • Isolate quickly • Examine slowly and carefully • Protect the system from a repeat attack

  12. Where to Get More Information • www.snort.org • www.tripwire.org • www.chkrootkit.org • www.sans.org

More Related