11.1. Come comportarsi, in generale
Se si è fisicamente presenti durante l'attacco, la prima risposta dovrebbe essere rimuovere la macchina dalla rete, estraendo la scheda di rete (sempre che ciò non danneggi transazioni commerciali in atto). Disabilitare la rete a basso livello è l'unico vero modo di allontanare l'attaccante dalla postazione presa di mira (saggio consiglio di Philip Hofmeister).
However, some tools installed by rootkits, trojans and, even, a rogue user connected through a back door, might be capable of detecting this event and react to it. Seeing a
rm -rf /
executed when you unplug the network from the system is not really much fun. If you are unwilling to take the risk, and you are sure that the system is compromised, you should
unplug the power cable (all of them if more than one) and cross your fingers. This may be extreme but, in fact, will avoid any logic-bomb that the intruder might have programmed. In this case, the compromised system
should not be re-booted. Either the hard disks should be moved to another system for analysis, or you should use other media (a CD-ROM) to boot the system and analyze it. You should
not use Debian's rescue disks to boot the system, but you
can use the shell provided by the installation disks (remember, Alt+F2 will take you to it) to analyze
the system.
The most recommended method for recovering a compromised system is to use a live-filesystem on CD-ROM with all the tools (and kernel modules) you might need to access the compromised system. You can use the
mkinitrd-cd package to build such a CD-ROM
. You might find the
http://www.caine-live.net/ (Computer Aided Investigative Environment) CD-ROM useful here too, since it's also a live CD-ROM under active development with forensic tools useful in these situations. There is not (yet) a Debian-based tool such as this, nor an easy way to build the CD-ROM using your own selection of Debian packages and
mkinitrd-cd (so you'll have to read the documentation provided with it to make your own CD-ROMs).
Se volete aggiustare il danno in tempi brevi, dovete rimuovere dalla vostra rete la postazione danneggiata e reinstallare da zero il sistema operativo. Naturalmente, questa potrebbe essere una scelta inefficace, dal momento che non rivela come l'intruso sia riuscito ad assumere lo status di root. Per capirlo, bisogna controllare tutto: il firewall, l'integrità dei file, la postazione dedicata alla registrazione dei log, gli stessi file di log e via dicendo. Per maggiori informazioni sul da farsi mentre si segue un'irruzione, vedete
http://www.sans.org/y2k/DDoS.htm o
http://www.cert.org/tech_tips/root_compromise.html.
Some common questions on how to handle a compromised Debian GNU/Linux system are also available in.