If you ride a motorcycle, you know that it's not "if you fall down," but "when you fall down." As a rider, you can't prevent the inevitable, but you can learn what to do in a crash, and learn what to do to minimize your own injuries.

1. I’ve been hacked! Now what?

If you ride a motorcycle, you know that it’s not “if you fall down,” but “when you fall down.” As a rider, you can’t prevent the inevitable, but you can learn what to do in a crash, and learn what to do to minimize your own injuries.

Having a computer connected to the Internet is like riding a motorcycle. Eventually, you’re going to get hacked. So, if you’ve been hacked, or if you think you’ve been hacked, here’s what to do: don’t panic.

Next, you have a simple decision to make, but with not so simple consequences: do you want to gather information for possible prosecution? Or, do you just want to secure your machine and get back to work?

Preparing for prosecution entails quite a bit of time and effort. If you decide to follow this course, see the sidebar “Security Related URLS.” You should also consult competent legal counsel to learn your rights and options.

Security Related URLs

Security and incident response http://www.ciac.org/ciac

Computer forensics and preservation of evidence, http://www.forensics-intl.com/info.html

Contacting law enforcement, http://www.fbi.gov/contact/fo/fo.htm

Vulnerabilities and good security practice, http://www.securityfocus.com

Firewalls and Internet Security: Repelling the Wily Hacker by William R. Cheswick and Steven M. Bellovin, http://www.wilyhacker.com

SANS Institute: Information Security Reading Room, http://rr.sans.org

BigAdmin System Administration Portal, http://www.sun.com/bigadmin

CERT, http://www.cert.org

No matter what course you choose, you’ll eventually have to secure your machine and bring it back to an uncompromised, useful state. The steps to recover from an intrusion are simple, but may require quite a bit of work.

  1. 1. Disconnect your system from the network! Disconnecting the machine isolates it from further damage, and prevents it from causing further damage elsewhere.

  2. 2. Save a copy of all your configuration files, such as /etc/fstab, /etc/passwd, /etc/inet.conf, sendmail.cf, etc.

  3. 3. Backup everything! Backups also preserve any configuration files that you may need later.

  4. 4. Now the painful part: reinstall the operating system and all applications from known, uncompromised media. If you have the ability to verify that your applications have not been tampered with, you can recover them from backups.

  5. 5. Reconfigure your system. Double-check all of your configurations and security settings. If you can deduce what security shortfall permitted the breach, fix it now.

  6. 6. Install any security patches from your vendor’s or distribution’s site.

  7. 7. Reinstall or restore your applications, and recover all of your data.

  8. 8. Bring the system back online.

Yes, this is the “big hammer” approach, but it eliminates any traps left behind.

If you want more information on making your Linux system more secure — a process called hardening — refer to the hardening checklist available online at http://www.linux-mag.com/downloads/2002-11/guru/harden_list.html, and the “Guru Guidance” columns in the September 2002, October 2002, and this issue of the magazine (also available online at http://www.linux-mag.com/{2002-09, 2002-10, 2002-11}/guru_01.html.

2. I need to keep my Web site up to date. Are there any scriptable FTP tools?

Yes, there are several non-interactive and scriptable FTP clients, including C-Kermit (http://www.columbia.edu/kermit/ftpclient.html), GNU wget (http://www.gnu.org/software/wget/wget.html), and lftp (http://lftp.yar.ru), written by Alexander V. Lukyanov.

For maintaining a Web site, lftp is ideal. According to the lftp web site, “LFTP is a sophisticated FTP/HTTP client and file transfer program. Like BASH, it has job control and uses the readline library for input. It has bookmarks, built-in mirroring, and can transfer several files in parallel. It was designed with reliability in mind.”

lftp has many commands, but for the purpose of updating a website, you’re likely to use a sequence of commands that looks something like this:

open www.myisp.net
user john_mascio mypassword
lcd /home/mascio/public_html
cd /home/john_mascio/public_html
mirror –delete –reverse –only-newer

If you place these commands in a file called update_website, you’d invoke lftp with lftp -f update_website.

If your local directory is set up to match the remote directory then the script will:

  1. 1. Connect to your ISP (in this example, www.myisp.net)

  2. 2. Login with your username and password (john_mascio and mypassword, respectively).

  3. 3. Change to your local directory (/home/mascio /public_html) to get your files.

  4. 4. Change to your remote directory (/home/john _mascio/public_html) to put the files.

  5. 5. Reverse mirror (put) the new or changed files (–only-newer), delete any files you have removed from your local version (–delete).

  6. 6. Exit when completed.

In step five, use the –delete option carefully! Also note that if you do not use the –reverse option, lftp will get the remote files and overwrite your local copy.

Since your user name and password are in this script, be sure to keep this file safe, and make sure it’s not readable by anyone else by using chmod go-rwx update _website. It would be even better if the password used to update your Web site is different then any other password you use.

lftp has many other options, including secure file transfers. Read the man page to learn more.

John R. S. Mascio is an independant systems and network management consultant. He can be reached at mascio@ryu.com.

Comments are closed.