You want to get your hacked machine back in service as soon as possible; you don't want to lose any available forensic data; you want to determine how the intruder go access to you system: make a low-level copy/dump of your disks/partitions/slices — a copy using rsync, cp -pr, tar or similar high-level tools will not do, as any decent rootkit will have hidden itself, perhaps by wrapping system-calls.
The plan: take a low-level copy; mount the copy on a trusted host and investigate — there should no longer be any rootkit-hidden files.
The standard tools for this kind of backup, or dump are: for Solaris, ufsdump; for Linux, dump. The latter, however is the subject of some discussion:
Pros:
Cons:
Norton/Symantec's Ghost can be used to make a copy of a filesystem. However, Ghost supports only Ext2 and Ext3, not ReiserFS, XFS, JFS...
Enough! Any real Unix/Linux sysadmin will simply use dd or even cat. I have tried and tested both the following procedures. On the hacked machine
dd if=/dev/hda1 of=/scratch/hda1imageor
cat /dev/hda1 > /scratch/hda1.catthen copy the image to a trusted machine and
cd /scratch mkdir hda1 mount hda1image hda1 -t ext3 -o loop=/dev/loop2Supports all filesystems that the kernel on the trusted machine can understand; works.
It is plausible that dd and/or cat, or something they depend on, will have been compromised in a way which will interfere with these procedures, so the truly paranoid should boot the hacked machine from a "live" CD, or attach its hard-disks to a trusted machine (as slave devices).
...previous | up (conts) | next... |