Slashdot brought two stories to my attention today. The first, and more technical, was of particular interest to me. It details the steps a system administrator took to track down the damage caused by a cracker and to trace his whereabouts on the net.
Shortly after I installed my first Linux distribution, I found that my computer had been compromised. I knew when I set the computer up that it was vulnerable, but I did not know anything about how to secure it. I asked a friend / acquaintance / co-worker to help me secure the system, but we did not move quickly enough to prevent intrusion.
Since I knew very little about Linux administration, I figured the install was a total loss so I formatted and reinstalled. This time I knew a little bit more and took steps to try to lock down the system a bit more than the first time. I also installed some intrusion detection software. I monitored logs and email to watch for any obvious malicious activity. I also started dating Lisa. I started spending more time with her at her apartment and less time with my computer at my apartment. Some, myself included, would consider this a Good Thing™. I found myself unemployed as a victim of the first Dot-Com Bubble. (Yes, I said "first". I have great concern that the "Web 2.0" phenomena is really just Dot-Com Bubble 2.0.) In my free time, while not finding any work because there were very few jobs, I wrote a script that, as a current coworker referred to it, was like an RSS aggregator before RSS existed. It was basically a script that would go out to a dozen or more web pages, scrape the content, build an HTML page using their source, then email the page to me. I could then get all of my daily readings in one email. It saved me copious amounts of waiting for bookmarks to load in the days before FireFox tabbed browsing and "Open in Tabs" for bookmarks.
Well, long story short, one day, just after finally getting a job, I stopped receiving these emails. It took me a day or two to actually realize that I was not receiving them, new job and all. I ssh'd in to my machine and started poking around and came across some things that seemed very similar to what lars describes in his post: basic utilities did not respond like they should. I had seen the same thing when my computer had be previously compromised, so I knew I was "hacked". I did the only thing I could at the time: shutdown -h now
It took me a couple of days before I could actually get to my apartment where the machine was physically located to pull the network cable, boot it up, and take a look at things. Yes, the computer was compromised. They came in through an RPC call. There was a RootKit. I had a list of what system files had changed, thanks to tripwire, but no time to really deal with it. I wasn't sure how to restore the system and pretty much just shelved it.
It sat on the shelf for close to a year. During that year, I had to use Lisa's Win98 computer, which I did not like. She claims that she never had problems with her computer until I started touching it. I finally decide I was going to format the old hard drive and install a new Linux and start over. First, though, I wanted to get my old home directory off the hard drive so I did not loose all of my collected data. Fortunately, the drive that I intended to copy the data to was bad, so I was unable to save the data and, therefore, could not format the hard drive.
Fortunately? Yes. The following week, two guys in suits come knocking on the door in the evening before I get home from work. Lisa isn't answering the door. They aren't leaving. They just keep pounding on the door. Finally, she goes out the other door and demands to know who they are and what they want. They're FBI and they want me. It turns out that when my computer had be compromised, the perpetrator used it as a jumping point to attack some servers on the east coast (security or defense or banking servers in Virginia, or some such) and the FBI had pages of server logs with my IP address trying to access the system. I guessed as to the dates when this happened, explained that my computer had been compromised, and that I had shut it down as soon as I found out. They asked for proof. If I had wiped the hard drive, I would have had none. As it was, I had the hard drive with all of the data in-tact. They asked to image the thing. Of course, I agreed. After getting the hard drive back, I never heard from them again.
Finally, a couple of months ago (this was all years ago), I thought, I'm going to try to get that data off this hard drive and wipe it so I can set up a second machine to use as a server / sandbox. It seems that the hard drive is in tact, but my data is not. I wonder what ever happened to it. Now I wish I had know what to do to track the scumbag that broke in to my computer. I wish I still had the data on the hard drive to track his actions. I wish I knew what had happened so I could make sure that what he did does not affect anything that I have elsewhere. If I only knew then what I know now....