[CentOS] an actual hacked machine, in a preserved state

Tue Jan 3 15:31:46 UTC 2012
Marc Deop <damnshock at gmail.com>

On Tuesday 03 January 2012 07:57:47 Les Mikesell wrote:
> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton <bennett at peacefire.org> wrote:
> >
> > But assuming the attacker is targeting my production system, suppose
> > they find a vulnerability and obtain the ability to run commands as root
> > on the system.  Then wouldn't their first action be to remove
> > restrictions on where you can log in from?  (Or, they could just
> > continue to run root commands using whatever trick they'd discovered?)
> 
> No, they'd probably replace your ssh binary with one that makes a
> hidden outbound connection to their own control center.  And replace
> netstat with one that doesn't show that connection.   If anyone has
> ever gotten root access, all other bets are off - those tools are a
> dime a dozen.

Those kind of things can be detected with SHA512 (for example)

> 
> > Yes, but the argument for "security over obscurity" is that the "secret"
> > should reside in something that cannot be obtained even in trillions of
> > trillions of guesses (i.e. a strong password), not in something that
> > could be obtained in a few dozen or a few thousand guesses (i.e. finding
> > OpenVPN listening on a given port).  The reason being is that if
> > something is obtainable in a few thousand guesses, then it will create
> > the illusion of being unguessable, but an attacker could still get it.
> 
> Openvpn runs over UDP.  With the tls-auth option it won't respond to
> an unsigned packet.  So without the key you can't tell the difference
> between a listening openvpn or a firewall that drops packets silently.
>  That is, you can't 'find' it.

We are not going to argue drop vs reject, are we? :P

> 
> > Unfortunately it may not be possible to tell that a particular safeguard
> > ever actually "worked" or made a difference.  How could you ever know,
> > for example, that an attacker was stopped because you used an ssh key
> > instead of a 12-character truly random password?
> 
> If you look at your logs under normal conditions, you'll know if
> someone has tried and failed a password login.  After someone has
> gotten in, it may be too late because they can destroy the evidence.
> Logging remotely to a more protected machine can help a bit.
> 

Remote syslog? that way they'll have to hack into two different machines...

Regards