<
 
 
 
 
×
>
hide
You are viewing a Web site, archived on 09:21:40 Oct 15, 2004. It is now a Federal record managed by the National Archives and Records Administration.
External links, forms, and search boxes may not function within this collection.

 

CERT® Coordination Center

Steps for Recovering from a UNIX Root Compromise


This document sets out suggested steps for responding to a UNIX root compromise. Your response should be carried out in several stages:

Introduction

A. Before you get started
  1. If you have a security policy, consult your security policy
  2. If you do not have a security policy
    1. Consult with management
    2. Consult with your legal counsel
    3. Contact law enforcement agencies
    4. Notify others within your organization
  3. Document all of the steps you take in recovering
B. Regain control
  1. Disconnect compromised system(s) from the network
  2. Copy an image of the compromised system(s)
C. Analyze the intrusion
  1. Look for modifications made to system software and configuration files
  2. Look for modifications to data
  3. Look for tools and data left behind by the intruder
  4. Review log files
  5. Look for signs of a network sniffer
  6. Check other systems on your network
  7. Check for systems involved or affected at remote sites
D. Contact CERT/CC and other sites involved
  1. Incident Reporting
  2. Contact the CERT Coordination Center
  3. Obtain contact information for other sites involved
E. Recover from the intrusion
  1. Install a clean version of your operating system
  2. Disable unnecessary services
  3. Install all vendor security patches
  4. Consult CERT advisories, summaries, and vendor-initiated bulletins
  5. Caution use of data from backups
  6. Change passwords
F. Improve the security of your system and network
  1. Review security using the UNIX configuration guidelines document
  2. Review the security tools document
  3. Install security tools
  4. Enable maximal logging
  5. Configure firewalls to defend networks
G. Reconnect to the Internet
H. Update your security policy
  1. Document lessons learned from being root compromised
  2. Calculate the cost of this incident
  3. Incorporate necessary changes (if any) in your security policy

Document revision history


Introduction

This document sets out suggested steps for responding to a UNIX root compromise.

Note that all action taken during your recovery from a root compromise should be in accordance with your organization's policies and procedures.

  1. Before you get started
    1. If you have a security policy, consult your security policy
    2. If you do not have a security policy
      1. Consult with management
      2. Depending on how your organization is structured, it may be important to notify management in order to facilitate internal coordination of your recovery effort.

      3. Consult with your legal counsel
      4. Before you get started in your recovery, your organization needs to decide if pursuing a legal investigation is an option.

        Note that the CERT Coordination Center is involved in providing technical assistance and facilitating communications in response to computer security incidents involving hosts on the Internet. We do not have legal expertise and cannot offer legal advice or opinions. For legal advice, we recommend that you consult with your legal counsel. Your legal counsel can provide you with legal options (both civil and criminal) and courses of action based on you or your organization's needs.

        It is up to you how you wish to pursue this incident. You may wish to secure your systems or to contact law enforcement to investigate the case.

        If you are interested in determining the identity of or pursuing action against the intruder, we suggest that you consult your management and legal counsel to see if any local, state, or federal laws have been violated. Based on that, you could then choose to contact a law enforcement agency and see if they wish pursue an investigation.

        We encourage you to discuss the root compromise activity with your management and legal counsel to answer the following questions:

        • What is your legal status in terms of your ability to trap intruders or trace connections (i.e., do you have a login banner stating that connections can be tracked or traced? See CERT Advisory CA-92:19, "Keystroke Logging Banner").
        • What are your legal responsibilities if your site is aware of the activity and does not take steps to prevent it?
        • Have any local, state, or federal laws have been violated?
        • Should an investigation should be pursued?
        • Should you report the activity to local, state, or national) law enforcement?
      5. Contact law enforcement agencies
      6. In general, if you are interested in pursuing any type of investigation or legal prosecution, we'd encourage you to first discuss the activity with your organization's management and legal counsel and to notify any appropriate law enforcement agencies (in accordance with any policies or guidelines at your site).

        Keep in mind that unless one of the parties involved contacts law enforcement, any efforts to trap or trace the intruder may be to no avail. We suggest you contact law enforcement before attempting to set a trap or tracing an intruder.

        U.S. sites interested in an investigation can contact their local Federal Bureau of Investigation (FBI) field office. To find contact information for your local FBI field office, please consult your local telephone directory or see the FBI's field offices web page available at:

        http://www.fbi.gov/fo/fo.htm

        For more information, please see the web page of the FBI National Computer Crime Squad (NCCS):

        http://www.fbi.gov/programs/nccs/compcrim.htm

        You may wish to contact the U.S. Secret Service for incidents involving the following:

        • theft or abuse of credit card information (e.g., credit card fraud, the exchange of credit card information)
        • threats to the President of the United States (e.g., threatening email messages)
        • impersonation of the President of the United States (e.g., the creation of forged email appearing to come from the President)

        To contact the Secret Service:

        Secret Service main phone number: +1 202 435-7700

        Financial Crimes Division - Electronic Crimes Section
        Phone: +1 202 435-5850
        Fax: +1 202 435 7607

        Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.

      7. Notify others within your organization
      8. In addition to notifying management and legal counsel at your site, you may also need to notify others within your organization who may be directly affected by your recovery process (e.g., other administrators or users).

    3. Document all of the steps you take in recovering
    4. The importance of documenting every step you take in recovery can not be overstated. Recovering from a root compromise can be a hectic and time consuming process in which hasty decisions are often made. Documenting the steps you take in recovery will help prevent hasty decisions and give you a record of all the steps you took to recover, which will be useful for your future reference. Documenting the steps you take in recovery also may be useful if there is a legal investigation.

  2. Regain control
    1. Disconnect compromised system(s) from the network
    2. To regain control, you will need to disconnect all compromised machines from your network. You may wish to operate in single user mode to ensure that you have complete control of the machine; however, by rebooting or changing to single user mode, you may lose some useful information because all processes executing at the time of discovery will be killed.

      Therefore, you may wish to work through steps in section C.5. Look for signs of a network sniffer to determine if the compromised system is currently running a network sniffer.

      Operating in single user mode will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process.

      If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine.

    3. Copy an image of the compromised system(s)
    4. Before analyzing the intrusion we encourage you to create a backup of your system. This will provide a "snapshot" of the file system at the time that the root compromise was first discovered. You may need to refer back to this backup in the future.

      If you have an available disk which is the same size and model as the disk in the compromised system, you can use the dd command to make an exact copy of the compromised system.

      For example, on a Linux system with two SCSI disks, the following command would make an exact replica of the compromised system (/dev/sda) to the disk of the same size and model (/dev/sdb).

      	   # dd if=/dev/sda of=/dev/sdb
      

      Please read the dd man page for more information.

      There are many other ways to create a backup of your system.

      Creating a low level backup is important in case you ever need to restore the state of the compromised machine when it was first discovered. Also, files may be needed for a legal investigation. Label, sign, and date the backup and keep the backup in a secure location to maintain integrity of the data.

  3. Analyze the intrusion
  4. With your system disconnected from the network, you can now thoroughly review log files and configuration files for signs of intrusion, intruder modifications, and configuration weaknesses.

    1. Look for modifications made to system software and configuration files
    2. Verify all system binaries and configuration files.

      When looking for modifications of system software and configuration files, keep in mind that any tool you are using on the compromised system to verify the integrity of binaries and configuration files could itself be modified. Also keep in mind that the kernel (operating system) itself could be modified. Thus, we encourage you to boot from a trusted kernel and obtain a known clean copy of any tool you intend to use in analyzing the intrusion.

      We urge you to thoroughly check all of your system binaries against distribution media. We have seen an extensive range of Trojan horse binaries installed by intruders.

      Some of the binaries which are commonly replaced by Trojan horses are: telnet, in.telnetd, login, su, ftp, ls, ps, netstat, ifconfig, find, du, df, libc, sync, inetd, and syslogd. Other items to check are any binaries referenced in /etc/inetd.conf, critical network and system programs, and shared object libraries.

      Because some Trojan horse programs could have the same timestamps as the original binaries and give the correct sum values, we recommend you use cmp to make a direct comparison of the binaries and the original distribution media.

      Alternatively, you can check the MD5 results on suspect binaries against a list of MD5 checksums from known good binaries. Ask your vendor if they make MD5 checksums available for their distribution binaries.

      Additionally, verify your configuration files against copies that you know to be unchanged.

      Some of the specific things you may want to inspect in your configuration files are:

      • Check your /etc/passwd file for entries that do not belong.
      • Check to see if /etc/inetd.conf has been modified.
      • If you allow the r commands (rlogin, rsh, rexec), ensure there is nothing that does not belong in /etc/hosts.equiv or in any .rhosts files.

      • Check for new SUID and SGID files. The following example will print out all SUID and SGID files within your filesystem.

             # find / \( -perm -004000 -o -perm -002000 \) -type f -print
        

    3. Look for modifications to data
    4. Data on root compromised systems is often modified by intruders. We encourage you to verify the integrity of web pages, ftp archives, files in users' home directories, and any other data files on your system.

    5. Look for tools and data left behind by the intruder
    6. Intruders will commonly install custom-made tools for continued monitoring or access to a root compromised system.

      The common classes of files left behind by intruders are as follows:

      • Network Sniffers

      • A network sniffer is a utility which will monitor and log network activity to a file. Intruders commonly use network sniffers to capture username and password data that is passed in cleartext over the network. (see section C.5 below)

      • Trojan Horse Programs

      • Trojan horse programs are programs which appear to function properly, but either add or remove features. Intruders use Trojan horse programs to hide their activity, capture username and password data, and create backdoors for future access to a root compromised system. (see section C.1 above)

      • Vulnerability Exploits

      • A majority of root compromises are a result of machines running vulnerable versions of software. Intruders often use tools to exploit known vulnerabilities and gain root access. These tools are often left behind on the system in "hidden" directories.

      • Other Intruder Tools

      • The types of intruder tools listed above is not intended to be a conclusive list. There may be other tools left behind by an intruder. Some of the other types of tools you may find are tools to:
        • probe systems for vulnerabilities
        • launch widespread probes of many other sites
        • launch denial of service attacks
        • use your computing and networking resources

      • Intruder Tool Output

      • You may find log files from any number of intruder tools. These log files may contain information about other sites involved, vulnerabilities of your compromised machine(s), and vulnerabilities at other sites.

      We encourage you to search thoroughly for such tools and output files. Be sure to use a known clean copy of any tool which you use to search for intruder tools.

      The following list includes the most common places intruder tools are found on compromised systems.

      • Look for unexpected ASCII files in the /dev directory. Some of the Trojan binaries rely on configuration files which are often found in /dev.
      • If an intruder has created a new account and home directory, look very carefully through that directory. There may be hidden files or directories.
      • Look for files or directories with strange names such as "..." (three dots) or ".. " (two dots and some whitespace). Intruders often try and hide files within such directories.

    7. Review log files
    8. Reviewing your log files will help you get a better idea of how your machine was compromised, what happened during the compromise, and what remote hosts accessed your machine.

      Keep in mind when reviewing any log files from a root compromised machine that any of the logs could have been modified by the intruder.

      You may need to look in your /etc/syslog.conf file to find where syslog is logging messages.

      Below is a list of some of the more common UNIX log file names, their function, and what to look for in those files. Depending on how your system is configured, you may or may not have the following log files.

      • messages

      • The messages log will contain a wide variety of information. The thing to look for in this file is anomalies. Anything out of the ordinary should be inspected. Also, look for events that occurred around the known time of the intrusion.

      • xferlog

      • If the compromised system has a functioning ftp server, xferlog will contain log files for all of the ftp transfers. This may help you discover what intruder tools have been uploaded to your system, as well as what information has been downloaded from your system.

      • utmp

      • This file contains binary information for every user currently logged in. This file is only useful to determine who is currently logged in. One way to access this data is the who command.

      • wtmp

      • Every time a user successfully logs in, logs out, or your machine reboots, the wtmp file is modified. This is a binary file; thus, you need to use a tool to obtain useful information from this file. One such tool is last. The output from last will contain a table which associates user names with login times and the host name where the connection originated. Checking this file for suspicious connections (e.g., from unauthorized hosts) may be useful in determining other hosts that may have been involved and finding what accounts on your system may have been compromised.

      • secure

      • Some versions of UNIX (RedHat Linux for example) log tcp wrapper messages to the secure log file. Every time a connection is established with one of the services running out of inetd that uses tcp wrappers, a log message is appended to this log file. When looking through this log file, look for anomalies such as services that were accessed which are not commonly used, or connections from unfamiliar hosts.

      The common item to look for when reviewing log files is anything that appears out of the ordinary.

    9. Look for signs of a network sniffer
    10. When a root compromise occurs, there is the potential for intruders to install a network monitoring program, commonly called a sniffer (or packet sniffer), to capture user account and password information.

      The first step to take in determining if a sniffer is installed on your system is to see if any process currently has any of your network interfaces in promiscuous mode. If any interface is in promiscuous mode, then a sniffer could be installed on your system. Note that detecting promiscuous interfaces will not be possible if you have rebooted your machine or are operating in single user mode since your discovery of this intrusion.

      There are a couple of tools designed for this purpose.

      Keep in mind that some legitimate network monitors and protocol analyzers will set a network interface in promiscuous mode. Detecting an interface in promiscuous mode does not necessarily mean that an intruder's sniffer is running on a system.

      Another issue to consider is that sniffer log files tend to grow quickly in size. You may want to use utilities such as df to determine if part of the filesystem is larger than expected. Remember that df is often replaced by a Trojan horse program when sniffers are installed; therefore, be sure to obtain a known clean copy of that utility if you do use it.

      If you find that a packet sniffer has been installed on your systems, we strongly urge you to examine the output file from the sniffer to determine what other machines are at risk. Machines at risk are those that appear in the destination field of a captured packet.

      Many common sniffers will log each connection as follows:

           -- TCP/IP LOG -- TM: Tue Nov 15 15:12:29 --
           PATH: not_at_risk.domain.com(1567) =&GT; at_risk.domain.com(telnet)
      	   
      For sniffer logs of this particular format, you can obtain a list of affected machines by executing the following command:
           % grep PATH: $sniffer_log_file | awk '{print $4}' | \
             awk -F\( '{print $1}'| sort -u
      	   
      You may need to adjust the command for your particular case.

      You should be aware that there may be other machines at risk in addition to the ones that appear in the sniffer log. This may be because the intruder has obtained previous sniffer logs from your systems, or through other attack methods.

      For more information, we encourage you to review CERT Advisory CA-94:01, available from:

      http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html

      The advisory includes a description of sniffer activity and suggested approaches for addressing this problem.

      Please send us a list of all hosts you know to be affected. This will help us determine the scope of the problem.

    11. Check other systems on your network
    12. We encourage you to check all of your systems, not just those that you know to be compromised. Include in your check any systems associated with the compromised system through shared network-based services (such as NIS and NFS) or through any method of trust (such as systems in hosts.equiv or .rhosts files, or a Kerberos server).

      In examining other systems on your network, we encourage you to use our Intruder Detection Checklist:

      http://www.cert.mil/techtips/intruder_detection_checklist.htm

    13. Check for systems involved or affected at remote sites
    14. While examining log files, intruder output files, and any files modified or created during and since the time of the intrusion, look for information that leads you to suspect that another site may be linked with the compromise. We often find that other sites linked to a compromise (whether upstream or downstream of the compromise) have often themselves been victims of a compromise. It is therefore important that any other potential victim sites are identified and notified as soon as possible.

  5. Contact CERT/CC and other sites involved
    1. Incident Reporting
    2. Intruders will frequently use compromised accounts or hosts to launch attacks against other sites. If you find evidence of compromise or intruder activity at any other sites, we encourage you to contact those sites. Tell them what you have found, explain that this may be a sign of compromise or intruder activity at their site, and suggest that they may wish to take steps to determine if/how the compromise occurred and prevent a recurrence. When contacting other sites, please give them as much detail as possible including date/timestamps, timezone, and what to do if they have follow-up information.

      We would appreciate a "cc" to cert@cert.org on any correspondence. If you like, you can let the site know that you are working with us on on this incident (please include the assigned CERT tracking number in the subject line of your messages). Also let them know that we can offer assistance on how to recover from the compromise.

    3. Contact the CERT Coordination Center
    4. We would appreciate it you would complete and return an Incident Reporting Form as this will help us better assist you, and allow us to relate ongoing intruder activities. This also provides us a better overview of trends in attack profiles and provides input for other CERT documents such as Advisories and Summaries. We prefer that Incident Reporting Forms are sent to us via email. The Incident Reporting Forms are available from:

      ftp://ftp.cert.org/pub/incident_reporting_form

      Our contact information is as follows:

      Email: cert@cert.org (monitored during business hours)

      Telephone: +1-412-268-7090 24-hour hotline
      Fax: +1-412-268-6989
      CERT Coordination Center personnel answer business days (Monday-Friday) 08:30-17:00 EST/EDT (GMT-5)/(GMT-4), on call for emergencies during other hours.

      CERT Coordination Center
      Software Engineering Institute
      Carnegie Mellon University
      Pittsburgh, PA USA 15213-3890

    5. Obtain contact information for other sites involved
    6. If you need contact information for a .COM, .EDU, .NET, or .ORG top-level domain, we encourage you to use the InterNIC's whois database. For information about using 'whois', see the InterNIC's Whois tutorial at:

      http://rs.internic.net/tools/whois.html

      You can query the InterNIC's whois database via the Web at the following URL:

      http://rs.internic.net/cgi-bin/whois

      For information about finding contact information for other top level domains, please see the following URL:

      http://rs.internic.net/help/other-reg.html

      To find contact information for other incident response teams, you may also want to check the contact list of the Forum of Incident Response and Security Teams (FIRST), available in:

      http://www.first.org/team-info/

      We do not recommend sending email to "root" or "postmaster" of a machine that is suspected of being involved in intruder activity. If that machine is the source of an intruder attack, it is possible that that machine itself may be compromised and the intruder may have root access and/or be reading or intercepting email sent to that host.

      If you are still unsure of a site or contact details, please get in touch with us.

  6. Recover from the intrusion
    1. Install a clean version of your operating system
    2. Keep in mind that if a machine is root compromised, anything on that system could have been modified, including the kernel, binaries, datafiles, running processes, and memory. In general, the only way to trust that a machine is free from backdoors and intruder modifications is to reinstall the operating system from the distribution media and install all of the security patches before connecting back to the network. Merely determining and fixing the vulnerability that was used to initially compromise this machine may not be enough.

      We encourage you to restore your system using known clean binaries. In order to put the machine into a known state, you should re-install the operating system using the original distribution media.

    3. Disable unnecessary services
    4. Configure your system to offer only the services that the system is intended to offer, and no others. Check to ensure that there are no weaknesses in the configuration files for those services, and that those services are available only to the intended set of other systems. In general, the most conservative policy is to start by disabling everything and only enabling services as they are needed.

    5. Install all vendor security patches
    6. We strongly encourage you to ensure that the full set of security patches for each of your systems is applied. This is a major step in defending your systems from attack, and its importance cannot be overstated.

      We encourage you to check with your vendor regularly for any updates or new patches that relate to your systems.

    7. Consult CERT advisories, summaries, and vendor-initiated bulletins
    8. We encourage you to consult past CERT advisories, summaries, and vendor-initiated bulletins, and to follow the instructions that are relevant to your particular configuration. Be sure that you have installed all applicable patches or workarounds described in the CERT publications.

      Remember to check the advisories periodically to ensure that you have the most current information.

      Past CERT advisories are available from:

      http://www.cert.org/advisories/index.html
      ftp://ftp.cert.org/pub/cert_advisories/

      Past CERT summaries are available from:
      ftp://ftp.cert.org/pub/cert_summaries/

      Vendor-initiated bulletins are available from:
      ftp://ftp.cert.org/pub/cert_bulletins/

    9. Caution use of data from backups
    10. When restoring data from a backup, ensure that the backup itself is from an uncompromised machine. Keep in mind that you could re-introduce a vulnerability that would allow an intruder to gain unauthorized access. Also, if you are only restoring users' home directories and data files, keep in mind that any of those files could contain Trojan horse programs. You may want to pay close attention to .rhosts files in users' home directories.

    11. Change passwords
    12. After all security holes or configuration problems have been patched or corrected, we suggest that you change the passwords of ALL accounts on the affected system(s). Ensure that passwords for all accounts are not easy to guess. You may want to consider using vendor-supplied or third-party tools to enforce your password policies.

  7. Improve the security of your system and network
    1. Review security using the UNIX Configuration Guidelines document
    2. To help you assess the security of your system(s), please refer to our UNIX Configuration Guidelines document. This document may be useful to you in checking your system for common UNIX configuration problems that are often exploited by intruders.

      ftp://ftp.cert.org/pub/tech_tips/UNIX_configuration_guidelines

    3. Review the security tools document
    4. Consider using some of the software security tools that are available, such as Tripwire®, COPS, and the TCP wrapper package.

      A description of some tools that can be used to help secure a system and deter break-ins is available from:

      ftp://ftp.cert.org/pub/tech_tips/security_tools

    5. Install security tools
    6. Install all security tools before you connect your machine back to the network. Also, this is a good time to take an MD5 checksum snapshot of the newly restored system using a tool such as Tripwire®.

    7. Enable maximal logging
    8. Make sure that logging/auditing/accounting programs are enabled (for example, process accounting) and that they are set to an appropriate level (for example, sendmail logging should be level 9 or higher). Backup your logs, and/or consider writing your logs to a different machine, an append-only file system, or a secure logging host.

    9. Configure firewalls to defend networks
    10. Consider filtering certain TCP/IP services at your firewall or router. For some suggestions, please refer to "Packet Filtering for Firewall Systems," available from:

      ftp://ftp.cert.org/pub/tech_tips/packet_filtering

  8. Reconnect to the Internet
  9. If you disconnected from the Internet, the best time to reconnect is after you have completed all the steps listed above.

  10. Update your security policy
  11. The CERT Coordination Center recommends that every site develop their own computer security policy. Each organization may have a specialized culture and security requirements that are specific to their own organization. Please refer to RFC 2196 "Site Security Handbook" for information about developing computer security policies and procedures for sites that have systems on the Internet. This document is available from:

    ftp://ftp.isi.edu/in-notes/rfc2196.txt

    1. Document lessons learned from being root compromised
    2. Document and review your lessons learned from going through the process of recovering from a root compromise. This will help you decide the appropriate revisions necessary for your security policy.

    3. Calculate the cost of this incident
    4. For many organizations, changes simply are not made in security policy until they understand the cost of security, or lack thereof. Calculating the cost of an incident will give you a measurement as to the importance of security for your organization. You may find calculating the cost of this incident useful for explaining to management that security is important to your organization.

    5. Incorporate necessary changes (if any) in your security policy
    6. The last step to take in this process is to make the changes to your security policy. Be sure to inform members of your organization as to the changes that have been made and how that may affect them.