Comments on: How to restore a hacked Linux server http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/ The Journal Of A Linux Sysadmin Fri, 12 Mar 2010 09:50:42 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: what are you going to do if your Linux server got hacked | netstat -an | grep -i listenhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-143320 what are you going to do if your Linux server got hacked | netstat -an | grep -i listen Tue, 15 Apr 2008 00:21:38 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-143320 [...] find themselves in such a situation. thanks to this wonderful and straight to the point steps from Marius Ducea addthis_url = [...] [...] find themselves in such a situation. thanks to this wonderful and straight to the point steps from Marius Ducea addthis_url = [...]

]]> By: You Got Hacked? Re-Secure Your Systemhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-104105 You Got Hacked? Re-Secure Your System Sun, 18 Nov 2007 09:24:04 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-104105 [...] to more secure ones. It may not be a complete security solution, here’s a few guidelines of how to restore a hacked system. No Comments, Comment or [...] [...] to more secure ones. It may not be a complete security solution, here’s a few guidelines of how to restore a hacked system. No Comments, Comment or [...]

]]> By: Recovering a hacked server « BrunoJhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-57519 Recovering a hacked server « BrunoJ Wed, 11 Jul 2007 15:47:22 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-57519 [...] BLOG 1 [...] [...] BLOG 1 [...]

]]> By: blog.aemeth.org » [En] How to restore a hacked Linux serverhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-55829 blog.aemeth.org » [En] How to restore a hacked Linux server Thu, 05 Jul 2007 19:10:15 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-55829 [...] Copié depuis le site: http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/ [...] [...] Copié depuis le site: http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/ [...]

]]> By: nocmonkeyhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-2219 nocmonkey Fri, 08 Sep 2006 02:30:18 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-2219 One issue seems to be when or if to do an image, reinstall, restore from backups. I'd say this depends on the version of the OS /apps and time.If it is the latest version, then an image, reinstall, restore from backup may not fix things as you may have just reinstalled the hole again. So even if everything apears to be clean they could get in again. Also i've seen attackers exploits make it into the backups so they get restored anyway which looks very stupid.If the OS and apps are not up to date then an image and reinstall straight away would be better as software can be upgraded to the latest version which gives the intruder more pain in finding an exploit to get back in. User data restored from backups will also have to be checked to see if it runs with the upgraded OS and apps. Which may help to identify if the exploit was in the user's data rather than the OS/apps.If time is an issue, then an image, reinstall, restore from backup is preferable however the 'clean' system may not last very long. In the long term its always better to find out the answer to 'how did they get in?'I like the 'baseline' idea, very helpfull ;) One issue seems to be when or if to do an image, reinstall, restore from backups. I’d say this depends on the version of the OS /apps and time.

If it is the latest version, then an image, reinstall, restore from backup may not fix things as you may have just reinstalled the hole again. So even if everything apears to be clean they could get in again. Also i’ve seen attackers exploits make it into the backups so they get restored anyway which looks very stupid.

If the OS and apps are not up to date then an image and reinstall straight away would be better as software can be upgraded to the latest version which gives the intruder more pain in finding an exploit to get back in. User data restored from backups will also have to be checked to see if it runs with the upgraded OS and apps. Which may help to identify if the exploit was in the user’s data rather than the OS/apps.

If time is an issue, then an image, reinstall, restore from backup is preferable however the ‘clean’ system may not last very long. In the long term its always better to find out the answer to ‘how did they get in?’

I like the ‘baseline’ idea, very helpfull ;)

]]> By: Linux Unix » How To Restore a Hacked Linux Server…http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-1480 Linux Unix » How To Restore a Hacked Linux Server… Fri, 01 Sep 2006 12:57:53 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-1480 [...] Gasp…Yes it CAN happen. Here’s what to do if it does…read more | digg story [...] [...] Gasp…Yes it CAN happen. Here’s what to do if it does…read more | digg story [...]

]]> By: zean.no-ip.info » How to restore a hacked Linux serverhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-555 zean.no-ip.info » How to restore a hacked Linux server Thu, 10 Aug 2006 02:47:01 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-555 [...] Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. Working on several projects to restore a compromised Linux system for various clients, I have developed a set of rules that others might find useful in similar situations. The type of hacks encountered can be very variate and you might see very different ones than the one I will present, or I have seen live, but even so, this rules might be used as a starting point to develop your own recovery plan.   [...] [...] Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. Working on several projects to restore a compromised Linux system for various clients, I have developed a set of rules that others might find useful in similar situations. The type of hacks encountered can be very variate and you might see very different ones than the one I will present, or I have seen live, but even so, this rules might be used as a starting point to develop your own recovery plan.   [...]

]]> By: Nirlog.com » Blog Archive » How to restore a hacked Linux Serverhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-511 Nirlog.com » Blog Archive » How to restore a hacked Linux Server Thu, 03 Aug 2006 14:22:46 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-511 [...] Marius Ducea has a great article on How to restore a hacked Linux Server. He provides a very practical baseline on how you should develop your own plan of action to restore a hacked Linux Server. These are the steps he recommends: [...] [...] Marius Ducea has a great article on How to restore a hacked Linux Server. He provides a very practical baseline on how you should develop your own plan of action to restore a hacked Linux Server. These are the steps he recommends: [...]

]]> By: Linux Server Masters » Blog Archive » How to restore a hacked Linux server | MDLog:/sysadminhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-479 Linux Server Masters » Blog Archive » How to restore a hacked Linux server | MDLog:/sysadmin Sat, 29 Jul 2006 06:20:09 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-479 [...] How to restore a hacked Linux server | MDLog:/sysadminEvery sysadmin will try its best to secure the system/s he is managing. Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. [...] [...] How to restore a hacked Linux server | MDLog:/sysadminEvery sysadmin will try its best to secure the system/s he is managing. Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. [...]

]]> By: mikzhttp://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/comment-page-2/#comment-444 mikz Wed, 26 Jul 2006 08:17:43 +0000 http://www.ducea.com/2006/07/17/how-to-restore-a-hacked-linux-server/#comment-444 Marius, you wrote: "...you might have to write some iptables rules to block any kind of access besides your own IP. After this your system will appear down to everyone, including the attacker that will see that the system is completely down." Could you please provide an example of such an iptables script. AFAIK, neither DROP nor REJECT targets make a system look as if it is down. They make protected ports look either "stealthed" or "closed". Marius, you wrote:
“…you might have to write some iptables rules to block any kind of access besides your own IP.
After this your system will appear down to everyone, including the attacker that will see that the system is completely down.”
Could you please provide an example of such an iptables script. AFAIK, neither DROP nor REJECT targets make a system look as if it is down. They make protected ports look either “stealthed” or “closed”.

]]>