Our mission at the CERT Division is to anticipate and solve the nation's cybersecurity challenges.
Learn more
This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team). It describes suggested steps for responding to a UNIX or NT system compromise. Your response should be carried out in several stages:
Introduction
Document revision history
Note that all actions taken during your recovery from a system compromise should be in accordance with your organization's policies and procedures.
Depending on how your organization is structured, it may be important to notify management in order to facilitate internal coordination of your recovery effort. Also be aware that intrusions may get the attention of the media.
Before you get started in your recovery, your organization needs to decide if pursuing a legal investigation is an option.
Note that the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team) are involved in providing technical assistance and facilitating communications in response to computer security incidents involving hosts on the Internet. We do not have legal expertise and cannot offer legal advice or opinions. For legal advice, we recommend that you consult with your legal counsel. Your legal counsel can provide you with legal options (both civil and criminal) and courses of action based on you or your organization's needs.
It is up to you how you wish to pursue this incident. You may wish to secure your systems or to contact law enforcement to investigate the case.
If you are interested in determining the identity of or pursuing action against the intruder, we suggest that you consult your management and legal counsel to see if any local, state, or federal laws have been violated. Based on that, you could then choose to contact a law enforcement agency and see if they wish to pursue an investigation.
We encourage you to discuss the root compromise activity with your management and legal counsel to answer the following questions:
In general, if you are interested in pursuing any type of investigation or legal prosecution, we'd encourage you to first discuss the activity with your organization's management and legal counsel and to notify any appropriate law enforcement agencies (in accordance with any policies or guidelines at your site).
Keep in mind that unless one of the parties involved contacts law enforcement, any efforts to trap or trace the intruder may be to no avail. We suggest you contact law enforcement before attempting to set a trap or tracing an intruder.
U.S. sites interested in an investigation can contact their local Federal Bureau of Investigation (FBI) field office. To find contact information for your local FBI field office, please consult your local telephone directory or see the FBI's field offices web page available at:
U.S. sites and foreign locations involving U.S. assets, interested in an investigation can contact their local U.S. Secret Service (USSS) Field Office. To find contact information for your local USSS Field Office, please consult your local telephone directory or see the USSS web site available at:
To contact the USSS Electronic Crimes Branch please call:
If your site involves a Department of Defense Contractor, a Department of Defense Entity or any of the U.S. Military Services, and you are interested in an investigation, you may contact the United States Department of Defense Criminal Investigative Service (DCIS), Pittburgh, Pennsylvania at telephone number +1(412)395-6931. For information regarding DCIS please see:
Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.
To contact the Australian Federal Police:
Canberra | +61 2 6256 7777 | Ask for the Co-ordination centre |
---|---|---|
Brisbane | +61 7 3222 1222 | Ask for Operations |
Sydney | +61 2 9286 4000 | Ask for the Co-ordination centre |
Melbourne | +61 3 9607 7777 | Ask for the Co-ordination centre |
Adelaide | +61 8 8419 1811 | Ask for the Co-ordination centre |
Perth | +61 8 9320 3444 | Ask for the Co-ordination centre |
Darwin | +61 8 8981 1044 | Ask for the Co-ordinator |
In addition to notifying management and legal counsel at your site, you may also need to notify others within your organization who may be directly affected by your recovery process (e.g., other administrators or users).
Therefore, you may wish to work through steps in section C.5. Look for signs of a network sniffer to determine if the compromised system is currently running a network sniffer.
Operating in single user mode on UNIX systems will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process.
If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine.
If you have an available disk which is the same size and model as the disk in the compromised system, you can use the dd command in UNIX to make an exact copy of the compromised system.
For example, on a Linux system with two SCSI disks, the following command would make an exact replica of the compromised system (/dev/sda) to the disk of the same size and model (/dev/sdb).
# dd if=/dev/sda of=/dev/sdb
Please read the dd man page for more information.
There are many other ways to create a backup of your system. On NT systems there is no built in command like dd, but there are a number of third party applications that will make an image copy of an entire hard drive.
Creating a low level backup is important in case you ever need to restore the state of the compromised machine when it was first discovered. Also, files may be needed for a legal investigation. Label, sign, and date the backup and keep the backup in a secure location to maintain integrity of the data.
When looking for modifications of system software and configuration files, keep in mind that any tool you are using on the compromised system to verify the integrity of binaries and configuration files could itself be modified. Also keep in mind that the kernel (operating system) itself could be modified. Because of this, we encourage you to boot from a trusted kernel and obtain a known clean copy of any tool you intend to use in analyzing the intrusion. On UNIX systems you can create a boot disk and make it write protected to obtain a trustworth kernel.
We urge you to check all of your system binaries thoroughly against distribution media. We have seen an extensive range of Trojan horse binaries that have been installed by intruders.
Some of the binaries which are commonly replaced by Trojan horses on UNIX systems are: telnet, in.telnetd, login, su, ftp, ls, ps, netstat, ifconfig, find, du, df, libc, sync, inetd, and syslogd. Also check any binaries referenced in /etc/inetd.conf, critical network and system programs, and shared object libraries.
On NT systems, Trojan horses commonly introduce computer viruses or "remote administration" programs such as Back Orifice and NetBus. There have been cases where the system file that handles internet connectivity was replaced with a Trojan horse.
Because some Trojan horse programs could have the same timestamps as the original binaries and give the correct sum values, we recommend you use cmp on UNIX systems to make a direct comparison of the binaries and the original distribution media.
Alternatively, you can check the MD5 results for either UNIX or NT on suspect binaries against a list of MD5 checksums from known good binaries. Ask your vendor if they make MD5 checksums available for their distribution binaries.
Additionally, verify your configuration files against copies that you know to be unchanged.
When inspecting your configuration files on UNIX systems, you may want to
# find / \( -perm -004000 -o -perm -002000 \) -type f -print
When inspecting NT systems, you may want to
The common classes of files left behind by intruders are
Sniffers are more common on UNIX systems, but on NT systems check for key logging programs.
We encourage you to search thoroughly for such tools and output files. Be sure to use a known clean copy of any tool that you use to search for intruder tools.
When searching for intruder tools on a compromised system
Keep in mind when reviewing any log files from a compromised machine that any of the logs could have been modified by the intruder.
On UNIX systems, you may need to look in your /etc/syslog.conf file to find where syslog is logging messages. NT systems generally log everything to one of three logs for NT events, all of which are viewed through the Event Viewer. Other NT applications such as IIS server may log to other locations. IIS by default writes logs to the c:\winnt\system32\logfiles directory.
Below is a list of some of the more common UNIX log file names, their function, and what to look for in those files. Depending on how your system is configured, you may or may not have the following log files.