9.41. Recovering from a Hack

Problem

Your system has been hacked via the network.

Solution

  1. Think. Don’t panic.

  2. Disconnect the network cable.

  3. Analyze your running system. Document everything (and continue documenting as you go). Use the techniques described in this chapter.

  4. Make a full backup of the system, ideally by removing and saving the affected hard drives. (You don’t know if your backup software has been compromised.)

  5. Report the break-in to relevant computer security incident response teams. [Recipe 9.42]

  6. Starting with a blank hard drive, reinstall the operating system from trusted media.

  7. Apply all security patches from your vendor.

  8. Install all other needed programs from trusted sources.

  9. Restore user files from a backup taken before the break-in occurred.

  10. Do a post-mortem analysis on the original copy of your compromised system. The Coroner’s Toolkit (TCT) can help determine what happened and sometimes recover deleted files.

  11. Reconnect to the network only after you’ve diagnosed the break-in and closed the relevant security hole(s).

Discussion

Once your system has been compromised, trust nothing on the system. Anything may have been modified, including applications, shared runtime libraries, and the kernel. Even innocuous utilities like /bin/ls may have been changed to prevent the attacker’s tracks from being viewed. Your only hope is a complete reinstall from trusted media, meaning your original operating system CD-ROMs or ISOs.

The Coroner’s Toolkit (TCT) is a collection of scripts and ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.