Introduction
Note that all action taken during your recovery from a root compromise should be in accordance with your organization's policies and procedures.
Depending on how your organization is structured, it may be important to notify management in order to facilitate internal coordination of your recovery effort.
Before you get started in your recovery, your organization needs to decide if pursuing a legal investigation is an option.
Note that the CERT Coordination Center is involved in providing technical assistance and facilitating communications in response to computer security incidents involving hosts on the Internet. We do not have legal expertise and cannot offer legal advice or opinions. For legal advice, we recommend that you consult with your legal counsel. Your legal counsel can provide you with legal options (both civil and criminal) and courses of action based on you or your organization's needs.
It is up to you how you wish to pursue this incident. You may wish to secure your systems or to contact law enforcement to investigate the case.
If you are interested in determining the identity of or pursuing action against the intruder, we suggest that you consult your management and legal counsel to see if any local, state, or federal laws have been violated. Based on that, you could then choose to contact a law enforcement agency and see if they wish pursue an investigation.
We encourage you to discuss the root compromise activity with your management and legal counsel to answer the following questions:
In general, if you are interested in pursuing any type of investigation or legal prosecution, we'd encourage you to first discuss the activity with your organization's management and legal counsel and to notify any appropriate law enforcement agencies (in accordance with any policies or guidelines at your site).
Keep in mind that unless one of the parties involved contacts law enforcement, any efforts to trap or trace the intruder may be to no avail. We suggest you contact law enforcement before attempting to set a trap or tracing an intruder.
U.S. sites interested in an investigation can contact their local Federal Bureau of Investigation (FBI) field office. To find contact information for your local FBI field office, please consult your local telephone directory or see the FBI's field offices web page available at:
For more information, please see the web page of the FBI National Computer Crime Squad (NCCS):
You may wish to contact the U.S. Secret Service for incidents involving the following:
To contact the Secret Service:
Non-U.S. sites may want to discuss the activity with their local law enforcement agency to determine the appropriate steps that should be taken with regard to pursuing an investigation.
In addition to notifying management and legal counsel at your site, you may also need to notify others within your organization who may be directly affected by your recovery process (e.g., other administrators or users).
Therefore, you may wish to work through steps in section C.5. Look for signs of a network sniffer to determine if the compromised system is currently running a network sniffer.
Operating in single user mode will prevent users, intruders, and intruder processes from accessing or changing state on the compromised machine while you are going through the recovery process.
If you do not disconnect the compromised machine from the network, you run the risk that the intruder may be connected to your machine and may be undoing your steps as you try to recover the machine.
If you have an available disk which is the same size and model as the disk in the compromised system, you can use the dd command to make an exact copy of the compromised system.
For example, on a Linux system with two SCSI disks, the following command would make an exact replica of the compromised system (/dev/sda) to the disk of the same size and model (/dev/sdb).
# dd if=/dev/sda of=/dev/sdb
Please read the dd man page for more information.
There are many other ways to create a backup of your system.
Creating a low level backup is important in case you ever need to restore the state of the compromised machine when it was first discovered. Also, files may be needed for a legal investigation. Label, sign, and date the backup and keep the backup in a secure location to maintain integrity of the data.
When looking for modifications of system software and configuration files, keep in mind that any tool you are using on the compromised system to verify the integrity of binaries and configuration files could itself be modified. Also keep in mind that the kernel (operating system) itself could be modified. Thus, we encourage you to boot from a trusted kernel and obtain a known clean copy of any tool you intend to use in analyzing the intrusion.
We urge you to thoroughly check all of your system binaries against distribution media. We have seen an extensive range of Trojan horse binaries installed by intruders.
Some of the binaries which are commonly replaced by Trojan horses are: telnet, in.telnetd, login, su, ftp, ls, ps, netstat, ifconfig, find, du, df, libc, sync, inetd, and syslogd. Other items to check are any binaries referenced in /etc/inetd.conf, critical network and system programs, and shared object libraries.
Because some Trojan horse programs could have the same timestamps as the original binaries and give the correct sum values, we recommend you use cmp to make a direct comparison of the binaries and the original distribution media.
Alternatively, you can check the MD5 results on suspect binaries against a list of MD5 checksums from known good binaries. Ask your vendor if they make MD5 checksums available for their distribution binaries.
Additionally, verify your configuration files against copies that you know to be unchanged.
Some of the specific things you may want to inspect in your configuration files are:
# find / \( -perm -004000 -o -perm -002000 \) -type f -print
The common classes of files left behind by intruders are as follows:
We encourage you to search thoroughly for such tools and output files. Be sure to use a known clean copy of any tool which you use to search for intruder tools.
The following list includes the most common places intruder tools are found on compromised systems.
Keep in mind when reviewing any log files from a root compromised machine that any of the logs could have been modified by the intruder.
You may need to look in your /etc/syslog.conf file to find where syslog is logging messages.
Below is a list of some of the more common UNIX log file names, their function, and what to look for in those files. Depending on how your system is configured, you may or may not have the following log files.
The first step to take in determining if a sniffer is installed on your system is to see if any process currently has any of your network interfaces in promiscuous mode. If any interface is in promiscuous mode, then a sniffer could be installed on your system. Note that detecting promiscuous interfaces will not be possible if you have rebooted your machine or are operating in single user mode since your discovery of this intrusion.
There are a couple of tools designed for this purpose.
Another issue to consider is that sniffer log files tend to grow quickly in size. You may want to use utilities such as df to determine if part of the filesystem is larger than expected. Remember that df is often replaced by a Trojan horse program when sniffers are installed; therefore, be sure to obtain a known clean copy of that utility if you do use it.
If you find that a packet sniffer has been installed on your systems, we strongly urge you to examine the output file from the sniffer to determine what other machines are at risk. Machines at risk are those that appear in the destination field of a captured packet.
Many common sniffers will log each connection as follows:
-- TCP/IP LOG -- TM: Tue Nov 15 15:12:29 -- PATH: not_at_risk.domain.com(1567) => at_risk.domain.com(telnet)For sniffer logs of this particular format, you can obtain a list of affected machines by executing the following command:
% grep PATH: $sniffer_log_file | awk '{print $4}' | \ awk -F\( '{print $1}'| sort -uYou may need to adjust the command for your particular case.
You should be aware that there may be other machines at risk in addition to the ones that appear in the sniffer log. This may be because the intruder has obtained previous sniffer logs from your systems, or through other attack methods.
For more information, we encourage you to review CERT Advisory CA-94:01, available from:
The advisory includes a description of sniffer activity and suggested approaches for addressing this problem.
Please send us a list of all hosts you know to be affected. This will help us determine the scope of the problem.
In examining other systems on your network, we encourage you to use our Intruder Detection Checklist:
We would appreciate a "cc" to cert@cert.org on any correspondence. If you like, you can let the site know that you are working with us on on this incident (please include the assigned CERT tracking number in the subject line of your messages). Also let them know that we can offer assistance on how to recover from the compromise.
Our contact information is as follows:
Telephone: +1-412-268-7090 24-hour hotline
Fax: +1-412-268-6989
CERT Coordination Center personnel answer business days
(Monday-Friday) 08:30-17:00 EST/EDT (GMT-5)/(GMT-4), on call
for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA USA 15213-3890
If you are still unsure of a site or contact details, please get in touch with us.
We encourage you to restore your system using known clean binaries. In order to put the machine into a known state, you should re-install the operating system using the original distribution media.
We encourage you to check with your vendor regularly for any updates or new patches that relate to your systems.
Remember to check the advisories periodically to ensure that you have the most current information.
Past CERT advisories are available from:
A description of some tools that can be used to help secure a system and deter break-ins is available from: