Product SiteDocumentation Site

Capitolo 11. Dopo la compromissione (reazione agli incidenti)

11.1. Come comportarsi, in generale
11.2. Fare una copia di ripristino del sistema
11.3. Contattate il vostro CERT locale
11.4. Analisi "patologica"
11.5. Analisi di codice malevolo

11.1. Come comportarsi, in generale

Se si è fisicamente presenti durante l'attacco, la prima risposta dovrebbe essere rimuovere la macchina dalla rete, estraendo la scheda di rete (sempre che ciò non danneggi transazioni commerciali in atto). Disabilitare la rete a basso livello è l'unico vero modo di allontanare l'attaccante dalla postazione presa di mira (saggio consiglio di Philip Hofmeister).
However, some tools installed by rootkits, trojans and, even, a rogue user connected through a back door, might be capable of detecting this event and react to it. Seeing a rm -rf / executed when you unplug the network from the system is not really much fun. If you are unwilling to take the risk, and you are sure that the system is compromised, you should unplug the power cable (all of them if more than one) and cross your fingers. This may be extreme but, in fact, will avoid any logic-bomb that the intruder might have programmed. In this case, the compromised system should not be re-booted. Either the hard disks should be moved to another system for analysis, or you should use other media (a CD-ROM) to boot the system and analyze it. You should not use Debian's rescue disks to boot the system, but you can use the shell provided by the installation disks (remember, Alt+F2 will take you to it) to analyze [68] the system.
The most recommended method for recovering a compromised system is to use a live-filesystem on CD-ROM with all the tools (and kernel modules) you might need to access the compromised system. You can use the mkinitrd-cd package to build such a CD-ROM[69]. You might find the http://www.caine-live.net/ (Computer Aided Investigative Environment) CD-ROM useful here too, since it's also a live CD-ROM under active development with forensic tools useful in these situations. There is not (yet) a Debian-based tool such as this, nor an easy way to build the CD-ROM using your own selection of Debian packages and mkinitrd-cd (so you'll have to read the documentation provided with it to make your own CD-ROMs).
Se volete aggiustare il danno in tempi brevi, dovete rimuovere dalla vostra rete la postazione danneggiata e reinstallare da zero il sistema operativo. Naturalmente, questa potrebbe essere una scelta inefficace, dal momento che non rivela come l'intruso sia riuscito ad assumere lo status di root. Per capirlo, bisogna controllare tutto: il firewall, l'integrità dei file, la postazione dedicata alla registrazione dei log, gli stessi file di log e via dicendo. Per maggiori informazioni sul da farsi mentre si segue un'irruzione, vedete http://www.sans.org/y2k/DDoS.htm o http://www.cert.org/tech_tips/root_compromise.html.
Some common questions on how to handle a compromised Debian GNU/Linux system are also available in.


[68] >If you are adventurous, you can login to the system and save information on all running processes (you'll get a lot from /proc/nnn/). It is possible to get the whole executable code from memory, even if the attacker has deleted the executable files from disk. Then pull the power cord.
[69] >In fact, this is the tool used to build the CD-ROMs for the http://www.gibraltar.at/ project (a firewall on a live CD-ROM based on the Debian distribution).