Difference between revisions of "Compromised System"

From Atomicorp Wiki
Jump to: navigation, search
Line 31: Line 31:
  
 
Task 1: Rsync back of compromised host from the backup server
 
Task 1: Rsync back of compromised host from the backup server
    rsync -av -e ssh root@<IP>:/ /backups/<IP>/
+
  rsync -av -e ssh root@<IP>:/ /var/backups/<IP>/
  
Task 2: On the compromised host, create a Plesk Backup
+
Task 1: On the compromised host, create a Plesk Backup
    psadump or pleskbackup
+
  mkdir /root/backups
  
Task 3: Copy the backup to the backup server
+
PSA 7.5 and lower
 +
  /usr/loca/psa/bin/psadump -f | split -b1000m /root/backups/backup.
 +
 +
PSA 8.0 and higher
 +
  /usr/local/psa/bin/pleskbackup all --split=1G /root/backups/backup
  
  
  Step 3) Reinstall the system
+
Task 2: Rsync back of compromised host from the backup server (this gets those backups too):
  Task 1: Reimage the system
+
  rsync -av -e ssh root@<IP>:/ /var/backups/<IP>/
  Optional: The AOOI script to image the system with CentOS4 (1and1 users, or users on other EOL'd operating systems like FC4, FC5, etc)
+
    wget -q -O http://3es.atomicrocketturtle.com/tests/aooi-installer.sh |sh
+
  Task 2: Update the system
+
    yum -y update
+
  
   Step 4) Install/Configure Atomic Secured Linux
+
 
  Task 1: Install ASL
+
 
    wget -q -O http://www.atomicorp.com/installers/asl-install.sh |sh
+
'''Step 3) Reinstall the system'''
  Task 2: Update signatures
+
Task 1: Reimage the system
    asl -u
+
 
  Task 3: Run ASL in fix mode
+
Optional: The AOOI script to image the system with CentOS4 (1and1 users, or users on other EOL'd operating systems like FC4, FC5, etc)
    asl -f
+
   wget -q -O http://3es.atomicrocketturtle.com/tests/aooi-installer.sh |sh
  Task 4: Install Plesk (yum or autoupdater)
+
 
    yum:
+
Task 2: Update the system
    sub-task 1: Configure PSA channel for the version of your backup you made (ie, psa 7.5 backup, install psa 7.5)
+
  yum -y update
      See http://www.atomicorp.com/channels/plesk/ for plesk channels
+
 
        example setting up PSA 7.5.4 channel for centos 4:  vim /etc/yum.repo.d/plesk.repo  
+
'''Step 4) Install/Configure Atomic Secured Linux'''
        [plesk-7.5.4]
+
 
        name=Atomic Rocket Turtle - $releasever - SW-Soft PSA 7.5.4 RPMS
+
Task 1: Install ASL
        baseurl=http://www.atomicorp.com/channels/plesk/7.5.4/centos/$releasever/$basearch
+
  wget -q -O http://www.atomicorp.com/installers/asl-install.sh |sh
        gpgcheck=0
+
 
 +
Task 2: Update signatures
 +
  asl -u
 +
 
 +
Task 3: Run ASL in fix mode
 +
  asl -f
 +
 
 +
Task 4: Install Plesk (yum or autoupdater)
 +
 
 +
Using Yum:
 +
 
 +
sub-task 1: Configure PSA channel for the version of your backup you made (ie, psa 7.5 backup, install psa 7.5)
 +
 
 +
See http://www.atomicorp.com/channels/plesk/ for plesk channels
 +
 
 +
Example setting up PSA 7.5.4 channel for centos 4:  vim /etc/yum.repo.d/plesk.repo  
 +
[plesk-7.5.4]
 +
name=Atomic Rocket Turtle - $releasever - SW-Soft PSA 7.5.4 RPMS
 +
baseurl=http://www.atomicorp.com/channels/plesk/7.5.4/centos/$releasever/$basearch
 +
gpgcheck=0
 
    
 
    
    sub-task 2: Install psa, and support packages
+
sub-task 2: Install psa, and support packages
      yum -y install psa psa-bu mailman psa-spamassassin frontpage
+
  yum -y install psa psa-bu mailman psa-spamassassin frontpage
 +
 
 +
sub-task 3: copy psa.key from rsync backup on the backup server to /etc/psa/psa.key on the new system
 +
  scp /backup/<IP>/etc/psa/psa.key  root@<IP>:/etc/psa/psa.key
 +
 
 +
sub-task 4: restart psa
 +
  /etc/init.d/psa restart
  
    sub-task 3: copy psa.key from rsync backup to /etc/psa/psa.key
+
sub-task 5: log into psa, and reconfigure settings. Specifically set the shared IP's
      scp /backup/<IP>/etc/psa/psa.key root@<IP>:/etc/psa/psa.key
+
  https://<IP>:8443  
  
    sub-task 4: restart psa
+
'''Step 5) Restore system'''
      /etc/init.d/psa restart
+
  
    sub-task 5: log into psa, and reconfigure settings. Specifically set the shared IP's
+
Task 1: Copy plesk backup to reimaged system
    
+
   scp /var/backups/<IP>/root/backups/* root@<IP>:/root/
  
  Step 5) Restore t system
+
Task 2: Use psarestore/pleskrestore to recover data
  Task 1: Reinstall
+
  /usr/local/psa/bin/pleskrestore
  Task 1: Copy plesk backup to reimaged system
+
  Task 2: Use psarestore/pleskrestore to recover data
+
    psarestore/pleskrestore
+
  
  Step 6) Restore additional Components
+
'''Step 6) Restore additional Components'''
  Task 1:
+

Revision as of 14:01, 27 May 2007

Compromised System checklist

Abstract:

The following is a checklist of tasks to perform when a hosting system has been compromised, to ensure you have all the appropriate data to recover the system and ensure that it will not be compromised again. A key to rapid recovery is to use ASL to minimize the forensic investigation time required to recover. Ideally the specific exploits should be identified in advance, however given time constraints this might not be possible until later. The goal of this checklist is Rapid Recovery.


Preqreqs:

1 Backup server, to store 2 copies of data from the compromised system

1 Valid ASL subscription

Optional: Serial port/KVM console access

Optional: Rescue mode PXE image


Step 1) Find out how the system was compromised

Rkhunter:

 rkhunter --update
 rkhunter -c -sk

Chkrootkit

 chkrootkit
 

Step 2) Back up data from the compromised host. We make 2 copies

Task 1: Rsync back of compromised host from the backup server

 rsync -av -e ssh root@<IP>:/ /var/backups/<IP>/

Task 1: On the compromised host, create a Plesk Backup

 mkdir /root/backups

PSA 7.5 and lower

 /usr/loca/psa/bin/psadump -f | split -b1000m /root/backups/backup.

PSA 8.0 and higher

 /usr/local/psa/bin/pleskbackup all --split=1G /root/backups/backup


Task 2: Rsync back of compromised host from the backup server (this gets those backups too):

 rsync -av -e ssh root@<IP>:/ /var/backups/<IP>/


Step 3) Reinstall the system Task 1: Reimage the system

Optional: The AOOI script to image the system with CentOS4 (1and1 users, or users on other EOL'd operating systems like FC4, FC5, etc)

 wget -q -O http://3es.atomicrocketturtle.com/tests/aooi-installer.sh |sh

Task 2: Update the system

 yum -y update

Step 4) Install/Configure Atomic Secured Linux

Task 1: Install ASL

 wget -q -O http://www.atomicorp.com/installers/asl-install.sh |sh

Task 2: Update signatures

 asl -u

Task 3: Run ASL in fix mode

 asl -f

Task 4: Install Plesk (yum or autoupdater)

Using Yum:

sub-task 1: Configure PSA channel for the version of your backup you made (ie, psa 7.5 backup, install psa 7.5)

See http://www.atomicorp.com/channels/plesk/ for plesk channels

Example setting up PSA 7.5.4 channel for centos 4: vim /etc/yum.repo.d/plesk.repo

[plesk-7.5.4]
name=Atomic Rocket Turtle - $releasever - SW-Soft PSA 7.5.4 RPMS
baseurl=http://www.atomicorp.com/channels/plesk/7.5.4/centos/$releasever/$basearch
gpgcheck=0
  

sub-task 2: Install psa, and support packages

 yum -y install psa psa-bu mailman psa-spamassassin frontpage

sub-task 3: copy psa.key from rsync backup on the backup server to /etc/psa/psa.key on the new system

 scp /backup/<IP>/etc/psa/psa.key  root@<IP>:/etc/psa/psa.key

sub-task 4: restart psa

 /etc/init.d/psa restart

sub-task 5: log into psa, and reconfigure settings. Specifically set the shared IP's

 https://<IP>:8443  

Step 5) Restore system

Task 1: Copy plesk backup to reimaged system

 scp /var/backups/<IP>/root/backups/* root@<IP>:/root/

Task 2: Use psarestore/pleskrestore to recover data

 /usr/local/psa/bin/pleskrestore

Step 6) Restore additional Components

Personal tools