Difference between revisions of "Compromised System"
From Atomicorp Wiki
(New page: == Compromised System checklist == '''Abstract:''' The following is a checklist of tasks to perform when a hosting system has been compromised, to ensure you have all the appropriate da...) |
|||
| Line 19: | Line 19: | ||
Step 1) Find out how the system was compromised | Step 1) Find out how the system was compromised | ||
| + | |||
| + | Basic tools | ||
| + | rkhunter | ||
| + | chkrootkit | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | |||
| − | |||
| + | Step 2) Back up data from the compromised host. We make 2 copies | ||
| + | Task 1: Rsync back of compromised host from the backup server | ||
| + | rsync -av -e ssh root@<IP>:/ /backups/<IP>/ | ||
| + | Task 2: On the compromised host, create a Plesk Backup | ||
| + | psadump or pleskbackup | ||
| + | Task 3: Copy the backup to the backup server | ||
| + | |||
| + | |||
| + | Step 3) Reinstall the system | ||
| + | Task 1: Reimage the system | ||
| + | Optional: The AOOI script to image the system with CentOS4 (1and1 users, or users on other EOL'd operating systems like FC4, FC5, etc) | ||
| + | wget -q -O http://3es.atomicrocketturtle.com/tests/aooi-installer.sh |sh | ||
| + | Task 2: Update the system | ||
| + | yum -y update | ||
| + | |||
| + | Step 4) Install/Configure Atomic Secured Linux | ||
| + | Task 1: Install ASL | ||
| + | wget -q -O http://www.atomicorp.com/installers/asl-install.sh |sh | ||
| + | Task 2: Update signatures | ||
| + | asl -u | ||
| + | Task 3: Run ASL in fix mode | ||
| + | asl -f | ||
| + | Task 4: Install Plesk (yum or autoupdater) | ||
| + | yum: | ||
| + | sub-task 1: Configure PSA channel for the version of your backup you made (ie, psa 7.5 backup, install psa 7.5) | ||
| + | See http://www.atomicorp.com/channels/plesk/ for plesk channels | ||
| + | example setting up PSA 7.5.4 channel for centos 4: vim /etc/yum.repo.d/plesk.repo | ||
| + | [plesk-7.5.4] | ||
| + | name=Atomic Rocket Turtle - $releasever - SW-Soft PSA 7.5.4 RPMS | ||
| + | baseurl=http://www.atomicorp.com/channels/plesk/7.5.4/centos/$releasever/$basearch | ||
| + | gpgcheck=0 | ||
| + | |||
| + | sub-task 2: Install psa, and support packages | ||
| + | yum -y install psa psa-bu mailman psa-spamassassin frontpage | ||
| + | |||
| + | sub-task 3: copy psa.key from rsync backup to /etc/psa/psa.key | ||
| + | scp /backup/<IP>/etc/psa/psa.key root@<IP>:/etc/psa/psa.key | ||
| + | |||
| + | sub-task 4: restart psa | ||
| + | /etc/init.d/psa restart | ||
| + | |||
| + | sub-task 5: log into psa, and reconfigure settings. Specifically set the shared IP's | ||
| + | |||
| − | Step | + | Step 5) Restore t system |
| + | Task 1: Reinstall | ||
| + | Task 1: Copy plesk backup to reimaged system | ||
| + | Task 2: Use psarestore/pleskrestore to recover data | ||
| + | psarestore/pleskrestore | ||
| − | Step | + | Step 6) Restore additional Components |
| + | Task 1: | ||
Revision as of 14:47, 27 May 2007
Compromised System checklist
Abstract:
The following is a checklist of tasks to perform when a hosting system has been compromised, to ensure you have all the appropriate data to recover the system and ensure that it will not be compromised again. A key to rapid recovery is to use ASL to minimize the forensic investigation time required to recover. Ideally the specific exploits should be identified in advance, however given time constraints this might not be possible until later. The goal of this checklist is Rapid Recovery.
Preqreqs:
1 Backup server, to store 2 copies of data from the compromised system
1 Valid ASL subscription
Optional: Serial port/KVM console access
Optional: Rescue mode PXE image
Step 1) Find out how the system was compromised
Basic tools rkhunter
chkrootkit
Step 2) Back up data from the compromised host. We make 2 copies Task 1: Rsync back of compromised host from the backup server rsync -av -e ssh root@<IP>:/ /backups/<IP>/ Task 2: On the compromised host, create a Plesk Backup psadump or pleskbackup Task 3: Copy the backup to the backup server
Step 3) Reinstall the system Task 1: Reimage the system Optional: The AOOI script to image the system with CentOS4 (1and1 users, or users on other EOL'd operating systems like FC4, FC5, etc) wget -q -O http://3es.atomicrocketturtle.com/tests/aooi-installer.sh |sh Task 2: Update the system yum -y update
Step 4) Install/Configure Atomic Secured Linux Task 1: Install ASL wget -q -O http://www.atomicorp.com/installers/asl-install.sh |sh Task 2: Update signatures asl -u Task 3: Run ASL in fix mode asl -f Task 4: Install Plesk (yum or autoupdater) yum: sub-task 1: Configure PSA channel for the version of your backup you made (ie, psa 7.5 backup, install psa 7.5) See http://www.atomicorp.com/channels/plesk/ for plesk channels example setting up PSA 7.5.4 channel for centos 4: vim /etc/yum.repo.d/plesk.repo [plesk-7.5.4] name=Atomic Rocket Turtle - $releasever - SW-Soft PSA 7.5.4 RPMS baseurl=http://www.atomicorp.com/channels/plesk/7.5.4/centos/$releasever/$basearch gpgcheck=0 sub-task 2: Install psa, and support packages yum -y install psa psa-bu mailman psa-spamassassin frontpage
sub-task 3: copy psa.key from rsync backup to /etc/psa/psa.key
scp /backup/<IP>/etc/psa/psa.key root@<IP>:/etc/psa/psa.key
sub-task 4: restart psa
/etc/init.d/psa restart
sub-task 5: log into psa, and reconfigure settings. Specifically set the shared IP's
Step 5) Restore t system Task 1: Reinstall Task 1: Copy plesk backup to reimaged system Task 2: Use psarestore/pleskrestore to recover data psarestore/pleskrestore
Step 6) Restore additional Components Task 1:
