Responding to an incident
An incident can be defined as any
unauthorized use of computing or networking resources. The basic
steps, for either Unix or Mac OS X, are:
- Read CERTs Unix
Intruder Detection Checklist
- Backup the machine.
- Create an image of the filesystems using dd to a remote machine.
Remember, the size of the disk will be the size of the image file.
Plan accordingly. If there isn't diskspace available, please contact
us at security@duke.edu
- Find out what ports are listening by running:
"lsof -i | grep
-i listen"
- Compare that output to what is visible from the network. From
another machine, run:
"nmap -P0 -A -p 1-65535 <target>"
- Use the nmap output to verify that lsof hasn't been
compromised. If you are running a firewall on the target machine, you
must take into account what ports are permitted to be visible to the
scanning machine.
- Note: If there is suspicion of a root level
compromise, clean binaries must be imported and used to further the
investigation.
- Examine log files for gaps, connections to unexpected places,
reboots, binary garbage, and odd application messages.
- Look for setuid and setgid files.
- Look at 'cron' and 'at' files
- Verify the services running on the machine
- Check /etc/passwd for modifications
- Look for hidden files using clean versions of 'find' and 'lsof'
A good forensics tool is the Helix Live CD. This CD works
not only for Unix & Linux machines, but also Windows.
For assistance in responding to an incident, please contact us at
security@duke.edu
NOTE:If there is ANY reason to
suspect the incident will require law enforcement, do NOT touch
the machine. Contact us at security@duke.edu and unplug the network cable from the wall end.
When to involve law enforcement?
- Child pornography
- Depends on the exisiting policies and procedures under which that
machine or network operates.
- Value of data loss & cost of recovery is greater than $5000
