Recipe 9.41 Recovering from a Hack

9.41.1 Problem

Your system has been hacked via the network.

9.41.2 Solution

  1. Think. Don't panic.

  2. Disconnect the network cable.

  3. Analyze your running system. Document everything (and continue documenting as you go). Use the techniques described in this chapter.

  4. Make a full backup of the system, ideally by removing and saving the affected hard drives. (You don't know if your backup software has been compromised.)

  5. Report the break-in to relevant computer security incident response teams. [Recipe 9.42]

  6. Starting with a blank hard drive, reinstall the operating system from trusted media.

  7. Apply all security patches from your vendor.

  8. Install all other needed programs from trusted sources.

  9. Restore user files from a backup taken before the break-in occurred.

  10. Do a post-mortem analysis on the original copy of your compromised system. The Coroner's Toolkit (TCT) can help determine what happened and sometimes recover deleted files.

  11. Reconnect to the network only after you've diagnosed the break-in and closed the relevant security hole(s).

9.41.3 Discussion

Once your system has been compromised, trust nothing on the system. Anything may have been modified, including applications, shared runtime libraries, and the kernel. Even innocuous utilities like /bin/ls may have been changed to prevent the attacker's tracks from being viewed. Your only hope is a complete reinstall from trusted media, meaning your original operating system CD-ROMs or ISOs.

The Coroner's Toolkit (TCT) is a collection of scripts and programs for analyzing compromised systems. It collects forensic data and can sometimes recover (or at least help to identify) pieces of deleted files from free space on filesystems. It also displays access patterns of files, including deleted ones. Become familiar with TCT before any break-in occurs, and have the software compiled and ready on a CD-ROM in advance.

The post-mortem analysis is the most time-consuming and open-ended task after a break-in. To obtain usable results may require a lot of time and effort.

9.41.4 See Also

CERT's advice on recovery is at The Coroner's Toolkit is available from or

    Chapter 9. Testing and Monitoring