|
|
In recent months, UNIX system administrators at the university have seen an upsurge in hacker/crackers targeting UO systems for break-ins and abuse. If a system you manage gets violated, here are some basic steps you'll want to take:
The first thing to do is report the violation. There are several organizations you may need to contact, such as
Suggestions for action and referrals to other information sources are given below.
Assuming the computer crime occurred on a system connected to UOnet, report the incident to Network Services at abuse@uoregon.edu or call 346-4395. Be careful NOT to send mail to the usual Network Services address (nethelp@ns.uoregon.edu), as that alias is widely distributed and is also the gateway to USENET News. This means hackers may routinely monitor that traffic.
Do not report the incident using email from the system you believe was compromised, since email on that system may be monitored or interfered with by the intruder. If you forward mail to the compromised system from another system (such as DARKWING), you should also turn off forwarding until the compromised system has been fixed.
Computer crimes, like any other crime, should be reported to appropriate law enforcement authorities. However, you should be aware that once you do, you will become a de facto agent of law enforcement and will be less free to gather information from users' accounts because of legal privacy issues. It's best to gather as much evidence as possible before contacting law enforcement agencies.
That said, the primary reason for contacting law enforcement early on is to determine what, if any, evidence they'd like to collect from your system, and whether they'd be interested in using your system in an effort to catch an intruder in the act.
Federal authorities: If the crime was perpetrated from a system outside Oregon, federal authorities will have jurisdiction over the incident, given the definition of "Federal interest computers" appearing at 18 USC 1030 (e) (2). See http://www.law.cornell.edu/uscode/18/1030.shtml as well as other applicable statutes.
Practically speaking, it is unlikely Federal law enforcement officials will be interested in minor security incidents, but all major computing incidents (especially all incidents involving a Federal interest computer and significant out-of-pocket financial losses) should be reported.
Local authorities: If a computer incident is not of interest to federal law enforcement authorities, it's possible that the Oregon State Police, the Eugene Police Department, or UO Campus Security may want to pursue the matter. 3. CERT All computer crimes meeting at least the minimum definition of computer incidents should also be reported to CERT, the Computer Emergency Response Team. For more information on reporting to CERT, see http://www.cert.org/tech_tips/incident_reporting.html
4. Others Who May be Affected
The final reporting step is to contact other systems administrators and users who may be affected by the host compromise. For example, if you discover logs from network-monitoring software that include usernames and passwords for other hosts, the administrators of those hosts need to be notified. Likewise, if your logs include an indication of where an attack originated, you'll need to contact the administrators of that host, as they may also have a security breach. Preserve the Evidence If authorities do want to gather evidence from your system, be prepared for any one of the following scenarios:
o they may ask you to remove one or more system disks for further investigation or for use as evidence (which means you'll need to replace them with new units) o they may ask you to do a complete backup of the system to tape o they may ask you to save/print copies of relevant log files
After you've reported the break-in to the proper authorities, take the following steps to recover:
1. Remove the system from the network. If law enforcement is not interested in using your system in an effort to catch an intruder in the act, the next step is to remove the compromised system from the network so it cannot be used as a base from which to attack other systems.
2. Do a full backup for your own use. With the system removed from the network, do a full backup to local media for your own use.
3. Reinstall the operating system from original media. You should install the latest stable release of your operating system from original media, i.e., from original CD-ROM. Until you do this, you cannot be sure that the operating system running on the compromised system hasn't been modified to defeat system security features or to provide the hackers/crackers with a "back door" to that host.
4. Apply all recommended operating system patches. You should also apply all vendor-recommended operating system patches applicable to the release you've just reinstalled. If you fail to do this, the intruder may be able to exploit a known vulnerability to recrack your system as soon as it comes back up on the network.
5. Change the passwords on all accounts. You need to assume that all accounts on your system have also been compromised, and you must assign and securely distribute new passwords for all those accounts. Yes, this is a pain. Yes, users will be unhappy, at least until you explain why it is necessary. Be sure to check that no "extra"/unauthorized accounts have been created, and that all accounts which may be created by default during the installation process are secured by passwords or removed if unneeded.
6. Check for setuid files or other configuration problems. You should also use the Cops program to check for setuid files (files installed so that they can be run with special permissions/special access) and other system configuration vulnerabilities. Cops is available from ftp://ftp.cert.org/pub/tools/cops/ The presence of executable files in unexpected places should also be investigated and resolved.
Next, you'll need to take some steps to "harden the system" against further break-ins:
1. Disable all unneeded services. Disable all unneeded Internet services running on your system. For example, if you aren't using NFS to share files, don't run NFS by default. If you aren't actively using/encouraging the use of finger, don't enable it by default (and give strong consideration to disabling Telnet in favor of ssh if possibležsee below.)
2. Install TCP Wrappers. Installation of TCP Wrappers will improve logging and your ability to block attempts to hack/crack your system. TCP Wrappers are available from ftp://ftp.cert.org/pub/tools/tcp_wrappers/
3. Install sshd and disable telnetd, pop, and ftpd. Because transmission of unencrypted passwords over the network is such a significant vulnerability, give strong consideration to installing sshd and disabling telnetd and ftpd so passwords won't be transmitted in plain text when you log in or transfer files. sshd is available from http://www.ssh.org/
A free ssh client for PCs running Windows 95/NT is included on this year's Duckware CD-ROM; pointers to commercial ssh clients for the PC and the Mac are available from the ssh.org site mentioned above.
4. Install tripwire so that you will know if crucial files have been changed. Installation of tripwire will let you know if crucial system files have been modified without authorization. Tripwire is available from ftp://ftp.cert.org/pub/tools/tripwire/
5. Install anti-relay/anti-spam sendmail rulesets. To prevent your system from being abused by spammers, modify your sendmail installation to use anti-relay and anti-spam sendmail rulesets. See http://www.sendmail.org/tips/relaying and html http://maps.vix.com/
6. Reinstall all application software from original media. Just as your operating system was rendered untrustworthy when your system was compromised, all of your applications also immediately became suspect. You need to reinstall them from scratch unless you are able to verify their integrity (ą la tripwire checksums).
7. Request installation of a switched network port. Multiuser systems and network servers should also be run from a switched network port, rather than from a normal shared network port, to further reduce or eliminate packet sniffing opportunities. In many buildings, switched 100 Mbps (fast ethernet) service is available from Network Services for a one-time charge of $250/port. This is a particularly good idea in labs, where public access (including the ability to potentially install a sniffer on a lab machine) is a given.
Finally, take preventative measures to assure you'll be less vulnerable in future:
1. CERT Mailing List
If you are responsible for the administration of a system, subscribe to the CERT Advisory Mailing List. See http://www.cert.org/contact_cert/certmaillist.html
2. Bugtraq Another excellent mailing list for system administrators is Bugtraq. See http://www.cert.org/other_sources/usenet.html
3. Vendor Mailing Lists/Security Web Sites. You should also investigate whether your operating system vendor offers a security mailing list or has a security web site, or if there is a USENET News group discussing security or system administration issues for your operating system.
4. Watch your system's logs and load. The final and most important step is to check your system's logs regularly and monitor its load. (Automating system log checks via a semi-intelligent log parser would increase chances of detecting unauthorized activities on the system.) Know what's normal for your system and investigate unusual behavior, particularly unusual behavior occurring at odd times or from odd places. Be proactive if you notice any unexpected jobs running.