Does anyone know some procedures that one might go through after getting hacked? Like clearing your name of any other break-ins from attacks that originated at your system, because the hacker was using it to launch other attacks, and D.O.S?

Wipe the entire drive and reinstall from a known clean source (eg, installation CD).

You can *try* to go around and remove damage caused by an attacker, but you'll never know for certain if you've got rid of everything.

what about legal actions?

Originally posted by lith
what about legal actions?

Well, *before you touch anything* decide if you want to pursue legal action. If you do, remove the hard drive and put it aside while you bring your server back online with a new hard drive. For all practical purposes it is impossible to bring a server back into proper working condition without destroying evidence unless you swap out the hard drive. Once you've brought the server back online with a new hard drive, mount the "tainted" drive in read-only mode on a different system and start inspecting log files to work out what happened, what evidence you have, etc.

In my opinion, there usually isn't any point pursuing legal action. In this era of Redhat 6.2/7.0, most security incidents are the result of autonomous worms, and no legal action can be taken there. Even if there is actually a human attacking the system, you have to decide if they are worth dealing with; unless yuo can demonstrate that they intended to cause damage they probably won't get any serious penalty imposed upon them, and you'll have wasted lots of time.

A good place to start is CERT's site "Recovering from an Incident", http://www.cert.org/nav/recovering.html. You will find a lot of information on http://project.honeynet.org/, I especially recommend the "Know your enemy" papers, http://project.honeynet.org/papers/enemy/index.html.

You will find a lot of information on Neohapsis as well, especially on the incident page, http://archives.neohapsis.com/archives/incidents/, where you read about other peoples experiences.

There's a little but great utility called "chkrootkit" which you can use to
try to find out what rootkit has been installed. Since the homepage is written in
Portuguese, I will give you the direct link. Go to:

http://www.pangeia.com.br/download.htm

and grab chkrootkit and chkdemonkit.

If you can not identify which rootkit has been installed on your server, you should do a clean install.


/lennert

We had an attack a year ago. The hacker did not get root but did manage to get a privileged account; he/she added several innocent looking users (e.g. atalk, uucp, sambar). Fortunately, these were easily spotted because we keep backups of the user lists. However, there was not way to tell what damage had been done. We did not want to take the chance of the person coming back and managing to compromise more machines -- especially our data backup server.

The end result was a re-install -- this is they only way we could be sure that the box was clean. Also, only install off of know good CDs or image files.

Always check PGP signatures. Last year a version of TCPwrappers was hacked and a bot dropped in to email user names and passwords to an account. This was spotted because a PGP sig was not correct.