Compromised System

From Atomicorp Wiki
Revision as of 14:47, 27 May 2007 by Scott (Talk | contribs)

Jump to: navigation, search

Compromised System checklist

Abstract:

The following is a checklist of tasks to perform when a hosting system has been compromised, to ensure you have all the appropriate data to recover the system and ensure that it will not be compromised again. A key to rapid recovery is to use ASL to minimize the forensic investigation time required to recover. Ideally the specific exploits should be identified in advance, however given time constraints this might not be possible until later. The goal of this checklist is Rapid Recovery.


Preqreqs:

1 Backup server, to store 2 copies of data from the compromised system

1 Valid ASL subscription

Optional: Serial port/KVM console access

Optional: Rescue mode PXE image


 Step 1) Find out how the system was compromised
 Basic tools
 
 rkhunter
 chkrootkit



 Step 2) Back up data from the compromised host. We make 2 copies
 Task 1: Rsync back of compromised host from the backup server
   rsync -av -e ssh root@<IP>:/ /backups/<IP>/
 Task 2: On the compromised host, create a Plesk Backup
   psadump or pleskbackup
 Task 3: Copy the backup to the backup server


 Step 3) Reinstall the system
 Task 1: Reimage the system
 Optional: The AOOI script to image the system with CentOS4 (1and1 users, or users on other EOL'd operating systems like FC4, FC5, etc)
   wget -q -O http://3es.atomicrocketturtle.com/tests/aooi-installer.sh |sh
 Task 2: Update the system
   yum -y update
 Step 4) Install/Configure Atomic Secured Linux
 Task 1: Install ASL
   wget -q -O http://www.atomicorp.com/installers/asl-install.sh |sh
 Task 2: Update signatures
   asl -u
 Task 3: Run ASL in fix mode
   asl -f
 Task 4: Install Plesk (yum or autoupdater)
   yum:
   sub-task 1: Configure PSA channel for the version of your backup you made (ie, psa 7.5 backup, install psa 7.5)
     See http://www.atomicorp.com/channels/plesk/ for plesk channels
       example setting up PSA 7.5.4 channel for centos 4:  vim /etc/yum.repo.d/plesk.repo 
       [plesk-7.5.4]
       name=Atomic Rocket Turtle - $releasever - SW-Soft PSA 7.5.4 RPMS
       baseurl=http://www.atomicorp.com/channels/plesk/7.5.4/centos/$releasever/$basearch
       gpgcheck=0
  
   sub-task 2: Install psa, and support packages
     yum -y install psa psa-bu mailman psa-spamassassin frontpage
   sub-task 3: copy psa.key from rsync backup to /etc/psa/psa.key
     scp /backup/<IP>/etc/psa/psa.key  root@<IP>:/etc/psa/psa.key
   sub-task 4: restart psa
     /etc/init.d/psa restart
   sub-task 5: log into psa, and reconfigure settings. Specifically set the shared IP's
 
 Step 5) Restore t system
 Task 1: Reinstall 
 Task 1: Copy plesk backup to reimaged system
 Task 2: Use psarestore/pleskrestore to recover data
   psarestore/pleskrestore
 Step 6) Restore additional Components
 Task 1:
Personal tools