Suppose you have found that an intrusion has occurred. What should you do?
Tip
These instructions are for your machine or for one you have total responsibility for. If this occurs on a machine where you work, immediately follow whatever procedures your company has in place for a security event.
Quick action is needed if you suspect a break-in. Run the who
command or cat /var/log/secure
and check the output. If you see a suspicious IP address, take the following actions:
If this were a very important machine with critical data on it, I would pull out the Ethernet wire(s) and shut it down now. I would then boot up from rescue media and try to determine if anything bad had occurred. Checking the date and time they got in (from the
who
command) could give you an idea of how much damage they may have caused.If this were my home system, I would first pull the Ethernet wire. I would then run
ps auxw
to a file to capture what is going on in the system right now. I would copy this file to some other machine or device and then shutdown the system.
By examining the ps
output and looking at the tty
value I could probably determine what programs they were running, if any. This might point to what they were trying to accomplish by getting into the system.
Obviously, if someone does get into your system, they most likely did it by guessing or somehow determining a password. I would probably reset all the passwords to something much harder to crack, and then inform my users to pick better ones. Or probably assign them myself.
Okay, so at least one person reading this is thinking why pull out the Ethernet wire? Why not just bring down the interface? Well, because a shrewd attacker is going to think of that, and as soon as he has access, he is going to put code on the system to automatically bring the interface back up if it goes down. He may even put a timer on it, or hide it in some other way.
It is possible that an attacker had time to do all kinds of things. He may have even been able to modify the who
, ps
, and other commands to make it almost impossible to track what he did (or is still doing) from the running system. With this in mind, you still need to shutdown asap and then boot up with a rescue disk or equivalent. Some of the things to look at are the commands such as ps
and who
. Run the file
command, it should show them as being a binary executable and not a shell script. If they are shell scripts, you may discover the attacker has renamed the executable files with a .
to hide them, and then wrapped them around a script to help cover up his presence. There are many other ways to hide as well.