Re: find_ddos results

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

first, you may want to back up the machine's contents to a large hard
drive using dd if you are interested in doing and analysis of the
compromise.

boot from a trusted media (ie another host) and use the tools there. don't
trust anything on the system, ie ls, find, or anything. it was probably
altered to hide the toolkits on the system.

of course save any data you want to save (ie mail, application data, etc).

you will have to reinstall the system from scratch. there is just no
getting around this.

i strongly reccomend you attempt to figure out how they got in in the
first place, so that you can harden your machine to prevent this from
happening again. i suggest using a firewall on the system and additional
measure to restrict access to network services which are the usual means
of system compromise.

i also suggest you move to a hardened system, such as Immunix
(http://www.immunix.org/). there just really is no substitute for a weak
OS on anyone's network, you cost people time and hence money.  (sorry if
that sounds rough, but right now i have to go clean up after a few lazy
admins who got compromised.)

hope this helps, i'm sure others will have additional advice. a good place
to start are the CERT docs, including:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
http://www.cert.org/tech_tips/unix_configuration_guidelines.html
http://www.cert.org/tech_tips/security_tools.html
http://www.cert.org/ftp/tech_tips/AUSCERT_checklist1.1 <-- highly
                                reccomended
http://www.cert.org/tech_tips/packet_filtering.html

also, look at places like http://www.linuxsecurity.org/ and their
documentation and guidelines.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)