A friend of mine recently had a visit from "The Audisoft Hacker Team of Chilean Defacers" who, apart from replacing his website with graffiti, placed a c99shell backdoor in an obscure directory.
His visitors were kind enough to display their hacker alias names on the graffiti and, looking at log files, we have discovered the time the attack occurred and the IP Address from which it came also, after having a poke around his backup files, think we know the application they hacked to gain entry.
So what do we do now?
I suppose theoretically he should report it to some authority but neither of us knows to whom, nor do we suspect they would show the slightest interest even if we did.
The backdoor has been placed in an obscure location which would only be known by the original hackers and associates they have told. It would be impossible to guess or stumble upon accidentally. We are therefore confident that anyone who visits this backdoor has illegal intentions.
So what would ALUGers suggest we do?
Being in mind anyone who tries to accesses the backdoor has illegal intentions, and from log files we notice most are using Microsoft Internet Explorer, we have had all kinds of evil thoughts about replacing the backdoor with some kind of infected software... but this would bring us down to their level and possibly also be illegal. It would however be interesting to replace the backdoor webpage with some software which is capable of more detailed logging of visitors.
What would more experienced ALUGers do if they were in our situation?
Is there any specific piece of logging (or other) software ALUGers would suggest we replace the backdoor with as it is still receiving visitors?
Sagr.
PS: The application the hackers used to gain entry was an old piece of software he had forgotten was still on his website and so we haven't bothered to put it back on.
Sagr spamcatcher@suffolk-ancestor-genealogy-research.co.uk wrote: [...]
So what do we do now?
I suppose theoretically he should report it to some authority but neither of us knows to whom, nor do we suspect they would show the slightest interest even if we did.
Yes, this is a continuing problem with computer misuse here. If you're lucky, your local police will have a high-tech crime unit and take the report, but that's not always easy.
As far as I know, there is no Computer Emergency Response Team for UK businesses, individuals or third sector. Only government, military and academia.
I keep raising this terrible situation with MPs, but it seems our representatives prefer to harass private individuals for downloading music and so on, or try to put all their information into a database that the government can then lose...
Other than that, ideally I'd replace the disk and only connect it read-only noatime and so on. I wouldn't stoop to their level and try to attack them back - maybe see if there's some way to capture their true location/identity. I'd also report it to the ISPs whose networks they used for the attack, which often does no good, but we can hope.
Let us know how you get on. Also, if the situation's not as bleak as above, someone please correct me!
Thanks,
In terms of "going after" the culprits I wouldn't bother unless the service attacked was mission critical, or there was a breach of security that resulted in confidential information being stolen (which if the information belonged to a 3rd party you should have already made an announcement) or if there are other tangible damages (i.e. reasonable grounds to claim for loss of business) beyond the costs of cleaning up the box.
Otherwise the CPS will probably decide (if no confidential information was stolen) that the costs of pursuing these people isn't worth it for what amounts to criminal damage. The box you were attacked from was in itself a compromised machine (if these people have any common sense) and probably that accessed from a hard to trace connection (Free wifi access etc). The aliases alone aren't enough to prosecute, even assuming you can resolve them to real people. So if you go the private prosecution route you are going to have to do a lot of expensive investigation to get anywhere.
At a technical level, take an image of the disk (or as MJR says, replace it) and rebuild the box from the ground up. You found one root kit but unless you can verify the integrity of every executable and library on that box (with off machine tools in case the tools themselves have been compromised) Then you really don't know what else might have been done.
Finally scrub any thoughts you have about counter attack, a. you will totally destroy any chances you have of legal recourse if the attacks continue and b. you will be as much the wrong side of the law as they are. Stick on some extra passive monitoring if you want just in case they do something really silly to reveal themselves. Maybe look at a decent IDS ?
At a technical level, take an image of the disk (or as MJR says, replace it) and rebuild the box from the ground up. You found one root kit but unless you can verify the integrity of every executable and library on that box (with off machine tools in case the tools themselves have been compromised) Then you really don't know what else might have been done.
Of course I typed rootkit there where I meant backdoor.
Also if you have the originating IP then it may be worth looking it up and reporting the abuse to the ISP concerned, if it is a compromised box then the owner deserves to know and if they were stupid enough to attack you directly then they are in breach of the ToS on their connection.
I suffered quite a few attacks in the late 90s, I think because Essex is alphabetically the first academic institution in the UK with 'sex' in its name. On a couple of occasions I was able to trace down the cracker to his home machine; but these days, crackers are much more likely to be anonymized, arriving via other cracked machines.
The things I found most useful were to:
-- if it's a new security hole, contact the CERT people at Carnegie-Mellon;
-- contact the root user on any machine from where the cracker arrived, warning them that their machine had been compromized too;
-- if possible, put something over the backdoor that simply responds with "This security hole has been plugged and your attempt to break in through it has been recorded." Whether or not you do actually record things are up to you.
I don't see that there's a real need for an organization like CERT in the UK: Linux is global and if there's a newly-found hole in widely-used software, it'll affect others too. On the other hand, there are quite a few companies that make a living out of Linux security; one of my former PhD students' first job after finishing was to drive around the City looking for open wireless networks. And yes, they were mostly in managers' offices.
I'm not aware of any companies that will help harden small Linux installations or help mop up after a break-in, but then again I haven't looked. Maybe there's a hole in the market...
HTH. ..Adrian
"Adrian F. Clark" alien@essex.ac.uk wrote:
-- if it's a new security hole, contact the CERT people at Carnegie-Mellon;
That's the one! I thought there was some CERT somewhere that accepted reports which weren't covered by any other CERT. Even if it's an old security hole, still report the incident so that it gets counted and can inform action.
[...]
I don't see that there's a real need for an organization like CERT in the UK: Linux is global and if there's a newly-found hole in widely-used software, it'll affect others too. [...]
Sure, but some UK service providers seem particularly insecure or bad at reacting to security problems on their systems, so it would be good to have proper data on whether that perception is accurate and help coordinate education/correction of them and actually catch some of the attackers perhaps, instead of the end-users bearing the cost of clean-ups that could be avoided.
I'm not aware of any companies that will help harden small Linux installations or help mop up after a break-in, but then again I haven't looked. Maybe there's a hole in the market...
My webmaster cooperative has done some mop-ups, but it's not particularly clever (more tedious), not much fun and isn't guaranteed.
Regards,
On Thu, 28 Aug 2008, Sagr wrote:
It would however be interesting to replace the backdoor webpage with some software which is capable of more detailed logging of visitors.
I may just be being over-cautious, but I'd suggest before you implement a plan of this form, you run it by either the Office of the Information Commissioner http://www.ico.gov.uk/ or your favourite legal advisor, to check it's within the terms of the Data Protection Act 1998.
-
Adrian F. Clark -
Dan Hatton -
MJ Ray -
Sagr -
Wayne Stallwood