翻译:ZhiQiang Translation: ZhiQiang
准备工作 Preparation
一、商讨安全策略 First, to discuss security policy
如果你的组织没有自己的安全策略,那么需要按照以下步骤建立自己的安全策略: If your organization does not have its own security policy, you need to follow these steps to set up their own security policy:
1.和管理人员协商 1 consultation and management
将入侵事故通知管理人员,可能在有的组织中很重要。 Notice the intrusion incident management personnel, may in some tissues is very important. 在be aware进行事故恢复的时候,网络管理人员能够得到内部各部门的配合。 Be aware of accident recovery in time, network managers can be co-ordination within the various departments. 也应该明白入侵可能引起传媒的注意。 Should also understand that the invasion may lead to media attention.
2.和法律顾问协商 (2) and legal counsel
在开始你的恢复工作之前,你的组织需要决定是否进行法律调查。 In the beginning before you return to work, your organization needs to decide whether the legal investigation.
注意CERT(Computer Emergency Response Team)只提供技术方面的帮助和提高网络主机对安全事件的反应速度。 Note CERT (Computer Emergency Response Team) only provide technical assistance and improve network security incident response to host speed. 它们不会提出法律方面的建议。 They are not legal advice. 所以,对于法律方面的问题建议你咨询自己的法律顾问。 Therefore, for legal issues suggest that you consult your legal counsel. 你的法律顾问能够告诉你入侵者应该承担的法律责任(民事的或者是刑事的),以及有关的法律程序。 Your legal advisor can tell you that an intruder should bear the legal liability (civil or criminal), and the proceedings.
现在,是你决定如何处理这起事故的时候了,你可以加强自己系统的安全或者选择报警。 Now, you decide how to deal with the accident of time, you can enhance your system's security or select an alarm.
如果你想找出入侵者是谁,建议你与管理人员协商并咨询法律顾问,看看入侵者是否触犯了地方或者全国的法律。 If you want to find out who the intruder is recommended that you consult with management and consultation with legal counsel to see whether the intruder violated local or national laws. 根据这些,你可以报案,看看警方是否愿意对此进行调查。 Based on these, you can report to see whether the police are willing to investigate.
针对与入侵事件,你应该与管理人员和法律顾问讨论以下问题: For with the invasion, you should counsel with management and discuss the following issues:
如果你要追踪入侵者或者跟踪网络连接,是否会触犯法律。 If you want to track or trace the intruder network connection, whether it would violate the law.
如果你的站点已经意识到入侵但是没有采取措施阻止,要承担什么法律责任。 If your site has been aware of the invasion but did not take measures to prevent, to bear any legal responsibility.
入侵者是否触犯了全国或者本地的法律。 The intruder is committing a national or local law.
是否需要进行调查。 Need to be investigated.
是否应该报警。 Should the police.
3.报警 3 alarm
通常,如果你想进行任何类型的调查或者起诉入侵者,最好先跟管理人员和法律顾问商量以下。 Usually, if you want any type of investigation or prosecution of the intruder, it is best to begin with management and legal counsel to discuss the following. 然后通知有关执法机构。 Then notify the relevant law enforcement agencies.
一定要记住,除非执法部门的参与,否则你对入侵者进行的一切跟踪都可能是非法的。 Keep in mind that unless the law enforcement agencies, otherwise all you have to track the intruder is likely to be illegal.
4.知会其他有关人员 4 to inform other relevant staff
除了管理者和法律顾问之外,你还需要通知你的恢复工作可能影响到的人员,例如其他网络管理人员和用户。 In addition to managers and legal counsel, you also need to inform your work may affect the recovery of personnel, such as other network management and users.
二、记录恢复过程中所有的步骤 Second, the record all the steps in the recovery process
毫不夸张地讲,记录恢复过程中你采取的每一步措施,是非常重要的。 It is no exaggeration to say that recording the recovery process measures every step you take is very important. 恢复一个被侵入的系统是一件很麻烦的事,要耗费大量的时间,因此经常会使人作出一些草率的决定。 Restore a system intrusion is a very troublesome thing, to spend a lot of time to make some people so often make hasty decisions. 记录自己所做的每一步可以帮助你避免作出草率的决定,还可以留作以后的参考。 Record that he has done every step can help you avoid making hasty decisions, but also reserved for future reference. 记录还可能对法律调查提供帮助。 Records may also be investigated for legal help.
夺回对系统的控制权 Regain control of the system
一、将被侵入的系统从网络上断开 First, the intrusion will be disconnected from the network system
为了夺回对被侵入系统的控制权,你需要将其从网络上断开,包括播号连接。 In order to regain control of the system being invaded rights, you need to be disconnected from the network, including dialing to connect. 断开以后,你可能想进入UNIX系统的单用户模式或者NT的本地管理者(local administrator)模式,以夺回系统控制权。 After disconnecting, you may want to get into single user mode on UNIX systems or NT local administrators (local administrator) mode, in order to regain control of the system. 然而,重启或者切换到单用户/本地管理者模式,会丢失一些有用的信息,因为被侵入系统当前运行的所有进程都会被杀死。 However, restart or switch to single user / local administrator mode, it will lose some useful information, because they were invaded all processes currently running on the system will be killed.
因此,你可能需要进入“检查网络嗅探器”一节,以确定被侵入的系统是否有网络嗅探器正在运行。 Therefore, you may need to enter the "Check network sniffer" section to determine whether there was invasion of the system network sniffer is running.
在对系统进行恢复的过程中,如果系统处于UNIX单用户模式下,会阻止用户、入侵者和入侵进程对系统的访问或者切换主机的运行状态。 In the system recovery process, if the system is UNIX single-user mode, it will prevent users, intruders and intrusion processes access to the system or switch the operational status of the host.
如果在恢复过程中,没有断开被侵入系统和网络的连接,在你进行恢复的过程中,入侵者就可能连接到你的主机,破坏你的恢复工作。 If the recovery process is not broken into the system and network connections in your recovery process, the intruder may connect to your host, destruction of your return to work.
二、复制一份被侵入系统的影象 Second, copy the image invaded systems
在进行入侵分析之前,建议你备份被侵入的系统。 During the invasion analysis, we recommend that you back up the system to be invaded. 以后,你可能会用得着。 Later, you may need it.
如果有一个相同大小和类型的硬盘,你就可以使用UNIX命令dd将被侵入系统复制到这个硬盘。 If you have a hard disk the same size and type, you can use the UNIX command dd will be copied to the hard drive into a system.
例如,在一个有两个SCSI硬盘的Linux系统,以下命令将在相同大小和类型的备份硬盘(/dev/sdb)上复制被侵入系统(在/dev/sda盘上)的一个精确拷贝。 For example, there are two SCSI hard drives in a Linux system, the following command in the same size and type of backup hard drive (/ dev / sdb) is copied into the system (in the / dev / sda disk) is an exact copy.
# dd if=/dev/sda of=/dev/sdb # Dd if = / dev / sda of = / dev / sdb
还有一些其它的方法备份被侵入的系统。 There are other methods to back up the system to be invaded. 在NT系统中没有类似于dd的内置命令,你可以使用一些第三方的程序复制被侵入系统的整个硬盘影象。 In the NT system is not built like dd command, you can use some third-party programs into the system by copying the entire hard drive image.
建立一个备份非常重要,你可能会需要将系统恢复到侵入刚被发现时的状态。 Create a backup is very important, you may need to restore your system to invade the state had just been discovered. 它对法律调查可能有帮助。 It may help a legal investigation. 记录下备份的卷标、标志和日期,然后保存到一个安全的地方以保持数据的完整性。 Backup record label, sign and date, then save it to a safe place to maintain data integrity.
入侵分析 Intrusion Analysis
现在你可以审查日志文件和系统配置文件了,检查入侵的蛛丝马迹,入侵者对系统的修改,和系统配置的脆弱性。 Now you can review the log files and system configuration files, check the invasion of the clues, the invaders of the system changes, and system configuration vulnerabilities.
一、检查入侵者对系统软件和配置文件的修改 First, check the intruder on the system software and configuration file changes
校验系统中所有的二进制文件 Check all system binaries
在检查入侵者对系统软件和配置文件的修改时,一定要记住:你使用的校验工具本身可能已经被修改过,操作系统的内核也有可能被修改了,这非常普遍。 Check the intruder in the system software and configuration file changes, be sure to remember: you use the verification tool itself may have been modified, the operating system kernel may also be modified, which is very common. 因此,建议你使用一个可信任的内核启动系统,而且你使用的所有分析工具都应该是干净的。 Therefore, I suggest you use a trusted kernel boot system, but all the analysis tools you use should be clean. 对于UNIX系统,你可以通过建立一个启动盘,然后对其写保护来获得一个可以信赖的操作系统内核。 For UNIX systems, you can create a boot disk, and then write them to get a reliable protection of the operating system kernel.
你应该彻底检查所有的系统二进制文件,把它们与原始发布介质(例如光盘)做比较。 You should thoroughly check all the system binaries, they released the original media (eg CD-ROM) for comparison. 因为现在已经发现了大量的特洛伊木马二进制文件,攻击者可以安装到系统中。 It is now found in a large number of Trojan binary file, an attacker can be installed into the system.
在UNIX系统上,通常有如下的二进制文件会被特洛伊木马代替:telnet、in.telnetd、login、su、ftp、ls、ps、netstat、ifconfig、find、du、df、libc、sync、inetd和syslogd。 On UNIX systems, usually have the following binary files will be replaced by a Trojan horse: telnet, in.telnetd, login, su, ftp, ls, ps, netstat, ifconfig, find, du, df, libc, sync, inetd and syslogd . 除此之外,你还需要检查所有被/etc/inetd.conf文件引用的文件,重要的网络和系统程序以及共享库文件。 In addition, you also need to check all the / etc / inetd.conf file referenced documents, important network and system programs and shared library files.
在NT系统上。 In the NT system. 特洛伊木马通常会传播病毒,或者所谓的"远程管理程序",例如Back Orifice和NetBus。 Trojans usually spread the virus, or so-called "remote management procedures", such as Back Orifice and NetBus. 特洛伊木马会取代处理网络连接的一些系统文件。 Trojan horses will handle the network connection to replace some system files.
一些木马程序具有和原始二进制文件相同的时间戳和sum校验值,通过校验和无法判断文件是否被修改。 Some of the Trojans and the original binary file with the same timestamp and checksum sum by check and can not determine whether a file has been modified. 因此,对于UNIX系统,我们建议你使用cmp程序直接把系统中的二进制文件和原始发布介质上对应的文件进行比较。 Therefore, for UNIX systems, we recommend that you use the cmp program the system directly to the original release of the binary file and the corresponding media file for comparison.
你还可以选择另一种方法检查可疑的二进制文件。 You can also choose another way to check the suspicious binaries. 向供应商索取其发布的二进制文件的MD5校验值,然后使用MD5校验值对可疑的二进制文件进行检查。 To obtain the release of vendor MD5 checksum of the binary file, then use the MD5 checksum of the binary files of suspicious checks. 这种方法适用于UNIX和NT。 This method applies to UNIX and NT.
校验系统配置文件 Check the system configuration file
在UNIX系统中,你应该进行如下检查: On UNIX systems, you should check the following:
检查/etc/passwd文件中是否有可疑的用户 Check the / etc / passwd file for suspicious user
检查/etc/inet.conf文件是否被修改过 Check the / etc / inet.conf file has been modified
如果你的系统允许使用r命令,例如rlogin、rsh、rexec,你需要检查/etc/hosts.equiv或者.rhosts文件。 If your system allows the use of r-commands, such as rlogin, rsh, rexec, you need to check / etc / hosts.equiv or. Rhosts file.
检查新的SUID和SGID文件。 Check for new SUID and SGID files. 下面命令会打印出系统中的所有SUID和SGID文件: The following command will print out the system all the SUID and SGID files:
#find / ( -perm -004000 -o -perm -002000 ) -type f -print # Find / (-perm -004000-o-perm -002000)-type f-print
对于NT,你需要进行如下检查: For NT, you need to check the following:
检查不成对的用户和组成员 Inspection is not a member of the Users and Groups
检查启动登录或者服务的程序的注册表入口是否被修改 Check the log or start the process of service registry entry is being modified
检查"net share"命令和服务器管理工具共有的非验证隐藏文件 Check the "net share" command and server management tools to verify the total of non-hidden files
检查pulist.ext程序无法识别的进程 Check pulist.ext does not recognize the process
二、检查被修改的数据 Second, check the data to be modified
入侵者经常会修改系统中的数据。 Intruder will often modify the system data. 所以建议你对web页面文件、ftp存档文件、用户目录下的文件以及其它的文件进行校验。 So I suggest you file for web pages, ftp archives, user directory file and other files to check.
三、检查入侵者留下的工具和数据 Third, check the tools and data left behind by intruder
入侵者通常会在系统中安装一些工具,以便继续监视被侵入的系统。 Intruder usually some tools installed on your system, in order to continue to monitor the system to be invaded.
入侵者一般会在系统中留下如下种类的文件: Intruder usually left in the system following types of files:
网络嗅探器 Network sniffer
网络嗅探器就是监视和记录网络行动的一种工具程序。 Network Sniffer is a network monitor and record actions of a utility. 入侵者通常会使用网络嗅探器获得在网络上以明文进行传输的用户名和密码。 Intruders usually use a network sniffer on the network obtained is transmitted in clear text user name and password.
嗅探器在UNIX系统中更为常见。 Sniffer is more common in the UNIX system.
特洛伊木马程序 Trojans
特洛伊木马程序能够在表面上执行某种功能,而实际上执行另外的功能。 Trojan horse program can perform certain functions on the surface, but actually perform another function. 因此,入侵者可以使用特洛伊木马程序隐藏自己的行为,获得用户名和密码数据,建立后门以便将来对系统在此访问被侵入系统。 Therefore, the intruder can use Trojan horse programs to hide their behavior, to obtain a user name and password data, create backdoors for future access to the system was penetrated in this system.
后门 Back door
后门程序将自己隐藏在被侵入的系统,入侵者通过它就能够不通过正常的系统验证,不必使用安全缺陷攻击程序就可以进入系统。 Backdoor invasion itself was hidden in the system, the intruder can not pass through it the normal system validation, do not use the exploit security flaws can enter the system.
安全缺陷攻击程序 Exploit security flaws
系统运行存在安全缺陷的软件是其被侵入的一个主要原因。 System software to run a security flaw is a major cause of its being intrusive. 入侵者经常会使用一些针对已知安全缺陷的攻击工具,以此获得对系统的非法访问权限。 Intruders often use some known security flaws for attack tools, in order to gain illegal access to the system. 这些工具通常会留在系统中,保存在一个隐蔽的目录中。 These tools usually stay in the system, stored in a hidden directory.
入侵者使用的其它工具 Intruder to use other tools
以上所列无法包括全部的入侵工具,攻击者在系统中可能还会留下其它入侵工具。 Not listed above, including all of the intrusion tools, attackers may also leave the system other intrusion tools. 这些工具包括: These tools include:
系统安全缺陷探测工具 Defect detection tool for system security
对其它站点发起大规模探测的脚本 Launched a large-scale exploration of other sites script
发起拒绝服务攻击的工具 Denial of service attack tool
使用被侵入主机计算和网络资源的程序 Use is the host intrusive procedures for computing and network resources
入侵工具的输出 Invasion of the tool's output
你可能会发现入侵工具程序留下的一些日志文件。 You may find utility invasion left behind some log files. 在这些文件中可能会包含被牵扯的其它站点,攻击者利用的安全缺陷,以及其它站点的安全缺陷。 In these documents may contain other sites are involved, the attacker exploited security flaw, security flaws and other sites.
因此,建议你对系统进行彻底的搜索,找出上面列出的工具及其输出文件。 Therefore, I suggest you conduct a thorough search of the system, find the tools listed above and the output file. 一定要注意:在搜索过程中,要使用没有被攻击者修改过的搜索工具拷贝。 Must pay attention: in the search process, not an attacker to use the modified copy of the search tool.
搜索主要可以集中于以下方向: Search can focus on the following main directions:
检查UNIX系统/dev/目录下意外的ASCII文件。 Check the UNIX system / dev / directory unexpected ASCII files. 一些特洛伊木马二进制文件使用的配置文件通常在/dev目录中。 Some Trojan binary file using the configuration file is usually in the / dev directory.
仔细检查系统中的隐藏文件和隐藏目录。 Double-check system hidden files and hidden directory. 如果入侵者在系统中建立一个一个新的帐户,那么这个新帐户的起始目录以及他使用的文件可能是隐藏的。 If the intruder in the system to create a new account, then the new account's home directory as well as his use of the files may be hidden.
检查一些名字非常奇怪的目录和文件,例如:...(三个点)、..(两个点)以及空白(在UNIX系统中)。 Check the names of some very strange directories and files, such as :...( three points ),..( two points) and blank (on UNIX systems). 入侵者通常会在这样的目录中隐藏文件。 Intruder usually hidden files in this directory. 对于NT,应该检查那些名字和一些系统文件名非常接近的目录和文件。 For NT, you should check the names and file names are very close to some system directories and files.
四、审查系统日志文件 Fourth, the review system log files
详细地审查你的系统日志文件,你可以了解系统是如何被侵入的,入侵过程中,攻击者执行了哪些操作,以及哪些远程主机访问了你的主机。 Detailed review of your system log file, you can understand how the system has been invaded, and the invasion process, the attacker perform what operation, and which remote hosts to access your host. 通过这些信息,你能够对入侵有更加清晰的认识。 With this information, you can have more of a clear understanding of the invasion.
记住:系统中的任何日志文件都可能被入侵者改动过。 Remember: any system log files may be altered by an intruder.
对于UNIX系统,你可能需要查看/etc/syslog.conf文件确定日志信息文件在哪些位置。 For UNIX systems, you may want to check / etc / syslog.conf file to determine the location in which the log information file. NT通常使用三个日志文件,记录所有的NT事件,每个NT事件都会被记录到其中的一个文件中,你可以使用Event Viewer查看日志文件。 NT usually uses three log files, all of the NT event log, each NT event will be recorded in one file, you can use Event Viewer to view log files. 其它一些NT应用程序可能会把自己的日志放到其它的地方,例如ISS服务器默认的日志目录是c:winntsystem32logfiles。 Other applications may make their NT log into other areas, such as ISS server default log directory is c: winntsystem32logfiles.
以下是一个通常使用的UNIX系统日志文件列表。 The following is a commonly used UNIX system log files. 由于系统配置的不同可能你的系统中没有其中的某些文件。 Because the system configuration, your system might not some of these files.
messages messages
messages日志文件保存了大量的信息。 messages log file is saved a lot of information. 可以从这个文件中发现异常信息,检查入侵过程中发生了哪些事情。 This file can be found from the exception information, check what happened during the invasion thing.
xferlog xferlog
如果被侵入系统提供FTP服务,xferlog文件就会记录下所有的FTP传输。 If the invasion of the system to provide FTP services, xferlog file will record all FTP transfers. 这些信息可以帮助你确定入侵者向你的系统上载了哪些工具,以及从系统下载了哪些东西。 This information can help you identify intruders uploaded to your system and what tools and what to download something from the system.
utmp utmp
保存当前登录每个用户的信息,使用二进制格式。 Save the information for each user currently logged on, use binary format. 这个文件只能确定当前哪些用户登录。 This file can only determine what the current user. 使用who命令可以读出其中的信息。 Use the who command to read the information.
wtmp wtmp
每次用户成功的登录、退出以及系统重启,都会在wtmp文件中留下记录。 Each time a user successfully logs, exit and restart the system, will be left in the wtmp file records. 这个文件也使用二进制格式,你需要使用工具程序从中获取有用的信息。 This file uses the binary format, you need to use the tool to obtain useful information from the program. last就是一个这样的工具。 last is one such tool. 它输出一个表,包括用户名、登录时间、发起连接的主机名等信息,详细用法可以使用man last查询。 It outputs a table, including user name, login time, the host initiates the connection name and other information, detailed usage can man last query. 检查在这个文件中记录的可疑连接,可以帮助你确定牵扯到这起入侵事件的主机,找出系统中的哪些帐户可能被侵入了。 Check the record in this file suspicious connections that can help you determine this from the invasion involves host, find out which system account may be invaded.
secure secure
某些些版本的UNIX系统(例如:RedHat Linux)会将tcp_wrappers信息记录到secure文件中。 Some of these versions of UNIX systems (eg: RedHat Linux) will tcp_wrappers information recorded in the secure file. 如果系统的inetd精灵使用tcp_wrappers,每当有连接请求超出了inetd提供的服务范围,就会在这个文件中加入一条日志信息。 If the system's inetd wizards use tcp_wrappers, whenever a connection request is beyond the scope of services provided by inetd, this file will add a log message. 通过检查这个日志文件,可以发现一些异常服务请求,或者从陌生的主机发起的连接。 By examining the log file, you can find some unusual service requests, or launched from a strange connection to the host.
审查日志,最基本的一条就是检查异常现象。 Audit logs, the most basic one is to check the anomaly.
五、检查网络嗅探器 5, check the network sniffer
入侵者侵入一个UNIX系统后,为了获得用户名和密码信息,一般会在系统上安装一个网络监视程序,这种程序就叫作嗅探器或者数据包嗅探器。 Intruders a UNIX system, in order to obtain a user name and password information, usually on the system to install a network monitoring program, this program is called sniffer, or on a packet sniffer. 对于NT,入侵者会使用远程管理程序实现上述目的。 For NT, the intruder will use the remote management program to achieve the above purpose.
判断系统是否被安装了嗅探器,首先要看当前是否有进程使你的网络接口处于混杂(Promiscuous)模式下。 Determine whether the system was installed sniffer, first look at whether the current process so that your network interface is in promiscuous (Promiscuous) mode. 如果任何网络接口处于promiscuous模式下,就表示可能系统被安装了网络嗅探器。 If any network interface in promiscuous mode, the system may be installed on that network sniffer. 注意如果你重新启动了系统或者在单用户模式下操作,可能无法检测到Promiscuous模式。 Note that if you restart the system in single user mode or operation, may not be able to detect Promiscuous mode. 使用ifconfig命令就可以知道系统网络接口是否处于promoscuous模式下(注意一定使用没有被侵入者修改的ifconfig): Use the ifconfig command to know the system network interface is in promoscuous mode (note that some intruder has not been modified using the ifconfig):
#/path-of-clean-ifconfig/ifconfig -a # / Path-of-clean-ifconfig/ifconfig-a
有一些工具程序可以帮助你检测系统内的嗅探器程序: There are some utilities that can help you detect a sniffer program within the system:
cpm(Check Promiscuous Mode)--UNIX cpm (Check Promiscuous Mode) - UNIX
可以从以下地址下载:ftp://coast.cs.purdue.edu/pub/tools/unix/cpm/ Can be downloaded from: ftp://coast.cs.purdue.edu/pub/tools/unix/cpm/
ifstatus--UNIX ifstatus - UNIX
可以从以下地址下载:ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/ Can be downloaded from: ftp://coast.cs.purdue.edu/pub/tools/unix/ifstatus/
neped.c neped.c
可以从以下地址下载:ftp://apostols.org/AposTolls/snoapshots/neped/neped.c Can be downloaded from: ftp://apostols.org/AposTolls/snoapshots/neped/neped.c
一定要记住一些合法的网络监视程序和协议分析程序也会把网络接口设置为promiscuous模式。 To remember some of the legitimate network monitoring and protocol analyzer program will be the network interface is set to promiscuous mode. 检测到网络接口处于promicuous模式下,并不意味着系统中有嗅探器程序正在运行。 Network interface is detected in promicuous mode, does not mean that the system is running a sniffer program.
但是,在Phrack杂志的一篇文章:(Phrack Magazine Volume 8,Issue 53 July 8,1998,article 10 of 15, Interface Promiscuity Obscurity)中,有人提供了一些针对FreeBSD、Linux、HP-UX、IRIX和Solaris系统的模块,可以擦除 IFF_PROMISC标志位,从而使嗅探器逃过此类工具的检查。 However, an article in Phrack Magazine: (Phrack Magazine Volume 8, Issue 53 July 8,1998, article 10 of 15, Interface Promiscuity Obscurity), it was provided some for FreeBSD, Linux, HP-UX, IRIX, and Solaris system module, you can erase IFF_PROMISC flag, so that the sniffer check the escape of such tools. 以此,即使使用以上的工具,你没有发现嗅探器,也不能保证攻击者没有在系统中安装嗅探器。 Thus, even with these tools, you do not find sniffer, the attacker can not guarantee that the system is not installed sniffer.
现在,LKM(Loadable Kernel Model,可加载内核模块)的广泛应用,也增加了检测难度。 Now, LKM (Loadable Kernel Model, loadable kernel module) is widely used, but also increase the detection difficult. 关于这一方面的检测请参考使用KSAT检测可加载内核模块。 On this aspect of the testing, please reference KSAT testing a loadable kernel module.
还有一个问题应该注意,嗅探器程序的日志文件的大小会急剧增加。 There is also a problem it should be noted, sniffer's log file size to increase dramatically. 使用df程序查看文件系统的某个部分的大小是否太大,也可以发现嗅探器程序的蛛丝马迹。 Use the df program to view a portion of the file system size is too large, you can find traces of a sniffer program. 建议使用lsof程序发现嗅探器程序打开的日志文件和访问访问报文设备的程序。 Recommend the use of lsof finds a sniffer program to open the log file and access devices to access the message the program. 在此,还要注意:使用的df程序也应该是干净的。 In this, we must pay attention: Use the df program should also be clean.
一旦在系统中发现了网络嗅探器程序,我们建议你检查嗅探器程序的输出文件确定哪些主机受到攻击者威胁。 Once in the system found a network sniffer program, we recommend that you check the sniffer output files to determine which hosts are threatened by the attacker. 被嗅探器程序捕获的报文中目的主机将受到攻击者的威胁,不过如果系统的密码是通过明文传输,或者目标主机和源主机互相信任,那么源主机将受到更大的威胁。 By sniffer program to capture packets in the destination host will be the threat of an attacker, but if the system password is transmitted in clear text, or the destination host and source host trust each other, then the source host will be a greater threat.
通常嗅探器程序的日志格式如下: Usually sniffer's log format is as follows:
-- TCP/IP LOG -- TM: Tue Nov 15 15:12:29 -- - TCP / IP LOG - TM: Tue Nov 15 15:12:29 -
PATH: not_at_risk.domain.com(1567) => at_risk.domain.com(telnet) PATH: not_at_risk.domain.com (1567) => at_risk.domain.com (telnet)
使用如下命令可以从嗅探器程序的日志文件中得到受到威胁的主机列表: Use the following command from the log file sniffer program to be threatened in the list of hosts:
% grep PATH: $sniffer_log_file | awk '{print $4}' | % Grep PATH: $ sniffer_log_file | awk '{print $ 4}' |
awk -F( '{print $1}'| sort -u awk-F ('{print $ 1}' | sort-u
你可能需要根据实际情况对这个命令进行一些调整。 The actual situation you may need some adjustments for this command. 一些嗅探器程序会给日志文件加密,增加了检查的困难。 Some sniffer log file encryption program will increase the difficulties of the inspection.
你应该知道不只是在嗅探器程序日志文件中出现的主机受到攻击者的威胁,其它的主机也可能受到威胁。 You should know not only the sniffer log files appear in the host's threat to attack other hosts could be threatened.
建议你参考http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html获得更为详细的信息。 I suggest you refer to http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html to obtain more detailed information.
六、检查网络上的其它系统 Sixth, check other systems on the network
除了已知被侵入的系统外,你还应该对网络上所有的系统进行检查。 In addition to the system known to be invasive, but you should be all systems on the network check. 主要检查和被侵入主机共享网络服务(例如:NIX、NFS)或者通过一些机制(例如:hosts.equiv、.rhosts文件,或者kerberos服务器)和被侵入主机相互信任的系统。 Mainly the invasion of the host and the shared network services (for example: NIX, NFS), or through some mechanism (for example: hosts.equiv,. Rhosts file, or kerberos server) and the invasion of the host system of mutual trust.
建议你使用CERT的入侵检测检查列表进行这一步检查工作。 I suggest you check with a list of CERT intrusion detection inspection in this step.
http://www.cert.org/tech_tips/intruder_detection_checklist.html http://www.cert.org/tech_tips/intruder_detection_checklist.html
http://www.cert.org/tech_tips/win_intruder_detection_checklist.html http://www.cert.org/tech_tips/win_intruder_detection_checklist.html
七、检查涉及到的或者受到威胁的远程站点 Seven, check or threats related to the remote site
在审查日志文件、入侵程序的输出文件和系统被侵入以来被修改的和新建立的文件时,要注意哪些站点可能会连接到被侵入的系统。 In reviewing the log file, the invasion of the output file and the system has been modified since the invasion and the newly created file, pay attention to which sites may be connected to the system being invaded. 根据经验那些连接到被侵入主机的站点,通常已经被侵入了。 According to experience that connection has been intrusive to the host site, usually has been invaded. 所以要尽快找出其它可能遭到入侵的系统,通知其管理人员。 So as soon as possible to identify other systems may be compromised, notify their managers.
通知相关的CSIRT和其它被涉及的站点 Notify the relevant CSIRT and other sites were involved
一、事故报告 First, the accident report
入侵者通常会使用被侵入的帐户或者主机发动对其它站点的攻击。 Intruders often use the host to be compromised account or to launch attacks on other sites. 如果你发现针对其它站点的入侵活动,建议你马上和这些站点联络。 If you find other sites for the invasion of activities, I suggest you immediately contact with these sites. 告诉他们你发现的入侵征兆,建议他们检查自己的系统是否被侵入,以及如何防护。 Tell them you found signs of the invasion, advised them to check whether your system has been penetrated, and how protection. 要尽可能告诉他们所有的细节,包括:日期/时间戳、时区,以及他们需要的信息。 Tell them as much as possible all the details, including: date / time stamp, time zone, and the information they need.
你还可以向CERT(计算机紧急反应组)提交事故报告,从他们那里的到一些恢复建议。 You can also to CERT (Computer Emergency Response Team) to the incident report number from them to restore the proposal.
中国大陆地区的网址是: http://www.cert.org.cn Mainland China's Web site is: http://www.cert.org.cn
二、与CERT调节中心(CERT Coordination Center)联系 Second, adjust the center with CERT (CERT Coordination Center) Contact
你还可以填写一份事故报告表,使用电子邮件发送到http://www.cert.org,从那里可以得到更多帮助。 You can also fill out an incident report form, e-mail sent to http://www.cert.org, from where you can get more help. CERT会根据事故报告表对攻击趋势进行分析,将分析结果总结到他们的安全建议和安全总结,从而防止攻击的蔓延。 CERT incident report form based on the analysis of attack trends, summarize the results of the analysis suggest safety and security of their sum, thus preventing the spread of the attack. 可以从以下网址获得事故报告表: Can be obtained from the incident report form the following URL:
http://www.cert.org/ftp/incident_reporting_form http://www.cert.org/ftp/incident_reporting_form
三、获得受牵连站点的联系信息 Third, get contact information for the site be affected
如果你需要获得顶级域名(.com、.edu、.net、.org等)的联系信息,建议你使用interNIC的whois数据库:http://rs.internic.net/whois.html。 If you need to get top-level domain (. Com,. Edu,. Net,. Org, etc.) contact information, I suggest you use interNIC of whois database: http://rs.internic.net/whois.html.
如果你想要获得登记者的确切信息,请使用interNIC的登记者目录:http://rs.internic.net/origin.html。 If you want to get the exact information registrants, registrants using interNIC directory: http://rs.internic.net/origin.html.
想获得亚太地区和澳洲的联系信息,请查询:http://www.apnic.net/apnic-bin/whois.pl,http://www.aunic.net/cgi-bin/whois.aunic Asia-Pacific region and Australia want to get contact information, please visit: http://www.apnic.net/apnic-bin/whois.pl, http://www.aunic.net/cgi-bin/whois.aunic
如果你需要其它事故反应组的联系信息,请查阅FIRST(Forum of Incident Response and Security Teams)的联系列表: http://www.first.org/team-info/ If you need additional contact information for Incident Response Group, please refer to FIRST (Forum of Incident Response and Security Teams) contact list: http://www.first.org/team-info/
要获得其它的联系信息,请参考:http://www.cert.org/tech_tips/finding_site_contacts.html For other contact information, please refer to: http://www.cert.org/tech_tips/finding_site_contacts.html
建议你和卷入入侵活动的主机联系时,不要发信给root或者postmaster。 Activities involved in the invasion and suggest that you contact the host, do not write to root or postmaster. 因为一旦这些主机已经被侵入,入侵者就可能获得了超级用户的权限,就可能读到或者拦截送到的e-mail。 Because once the host has been penetrated, the intruder could get a super-user privileges, it is possible to read or intercept the e-mail.
恢复系统 Recovery system
一、安装干净的操作系统版本 First, install a clean version of the operating system
一定要记住如果主机被侵入,系统中的任何东西都可能被攻击者修改过了,包括:内核、二进制可执行文件、数据文件、正在运行的进程以及内存。 We must remember that if the host is penetrated, the system may be anything the attacker modified, including: the kernel, binary executable files, data files, running processes and memory. 通常,需要从发布介质上重装操作系统,然后在重新连接到网络上之前,安装所有的安全补丁,只有这样才会使系统不受后门和攻击者的影响。 Typically, the media need to reinstall the operating system release, and then reconnect to the network before installing all security patches, the only way to make the system from the back door and the impact of the attacker. 只是找出并修补被攻击者利用的安全缺陷是不够的。 Is to identify and fix exploitable security flaws is not enough.
我们建议你使用干净的备份程序备份整个系统。 We recommend that you use a clean backup program to back up the entire system. 然后重装系统。 Then reinstall the system.
二、取消不必要的服务 Second, the abolition of unnecessary services
只配置系统要提供的服务,取消那些没有必要的服务。 Configure the system to provide only the services and to eliminate those unnecessary services. 检查并确信其配置文件没有脆弱性以及该服务是否可靠。 Check and make sure its configuration file without the vulnerability and the service is reliable. 通常,最保守的策略是取消所有的服务,只启动你需要的服务。 Typically, the most conservative strategy is to remove all of the services, just start the services you need.
三、安装供应商提供的所有补丁 Third, install all vendor patches
我们强烈建议你安装了所有的安全补丁,要使你的系统能够抵御外来攻击,不被再次侵入,这是最重要的一步。 We strongly recommend that you install all security patches, to make your system to fend off attacks, not to be invaded again, this is the most important step.
你应该关注所有针对自己系统的升级和补丁信息。 You all should be concerned for their own information system upgrades and patches.
四、查阅CERT的安全建议、安全总结和供应商的安全提示 Fourth, access to CERT security advisories, security vendor summary and Safety Tips
我们鼓励你查阅CERT以前的安全建议和总结,以及供应商的安全提示,一定要安装所有的安全补丁。 We encourage you to check CERT previous safety recommendations and summary, and suppliers of safety tips, be sure to install all security patches.
CERT安全建议:http://www.cert.org/advisories/ CERT security advisories: http://www.cert.org/advisories/
CERT安全总结:http://www.cert.org/advisories/ CERT security Summary: http://www.cert.org/advisories/
供应商安全提示:ftp://ftp.cert.org/pub/cert_bulletins/ Supplier Safety Tips: ftp://ftp.cert.org/pub/cert_bulletins/
五、谨慎使用备份数据 Fifth, careful use of backup data
在从备份中恢复数据时,要确信备份主机没有被侵入。 Restore data from backup, make sure the backup host has not been penetrated. 一定要记住,恢复过程可能会重新带来安全缺陷,被入侵者利用。 Keep in mind that the recovery process may be re-pose a security flaw, an intruder use. 如果你只是恢复用户的home目录以及数据文件,请记住文件中可能藏有特洛伊木马程序。 If you just restore the user's home directory and data files, remember that the file may be in possession of a Trojan horse program. 你还要注意用户起始目录下的.rhost文件。 You must pay attention to user's home directory. Rhost files.
六、改变密码 Sixth, to change the password
在弥补了安全漏洞或者解决了配置问题以后,建议你改变系统中所有帐户的密码。 To compensate for a security vulnerability or configuration problem solved after, I suggest you change the system password for all accounts. 一定要确信所有帐户的密码都不容易被猜到。 Be sure that all account passwords are not easily guessed. 你可能需要使用供应商提供的或者第三方的工具加强密码的安全。 You may need to use vendor-supplied or third-party tools to enhance password security.
加强系统和网络的安全 Strengthen the system and network security
一、根据CERT的UNIX/NT配置指南检查系统的安全性 First, according to CERT's UNIX / NT Configuration Guide check system security
CERT的UNIX/NT配置指南可以帮助你检查系统中容易被入侵者利用的配置问题。 CERT's UNIX / NT Configuration Guide can help you check the system easy to use intruder configuration problems.
http://www.cert.org/tech_tips/unix_configuration_guidelines.html http://www.cert.org/tech_tips/unix_configuration_guidelines.html
http://www.cert.org/tech_tips/win_configuration_guidelines.html http://www.cert.org/tech_tips/win_configuration_guidelines.html
二、查阅安全工具文档 Second, access to security tools document
可以参考以下文章,决定使用的安全工具:http://www.cert.org/tech_tips/security_tools.html See the following article, decided to use the security tools: http://www.cert.org/tech_tips/security_tools.html
三、安装安全工具 Third, the installation of security tools
在将系统连接到网络上之前,一定要安装所有选择的安全工具。 In the system connected to the network, be sure to install all the security tools selected. 同时,最好使用Tripwire、aide等工具对系统文件进行MD5校验,把校验码放到安全的地方,以便以后对系统进行检查。 At the same time, it is best to use Tripwire, aide and other tools for system files MD5 checksum, the checksum in a safe place for later inspection of the system.
四、打开日志 Fourth, open the log
启动日志(logging)/检查(auditing)/记帐(accounting)程序,将它们设置到准确的级别,例如sendmail日志应该是9级或者更高。 Start logging (logging) / inspection (auditing) / accounting (accounting) program, and set them to the correct level, for example, sendmail logging should be 9 or higher. 经常备份你的日志文件,或者将日志写到另外的机器、一个只能增加的文件系统或者一个安全的日志主机。 Regularly back up your log files, or log write another machine, a file system can only increase or a secure log host.
五、配置防火墙对网络进行防御 Fifth, configure the firewall on the network defense
现在有关防火墙的配置文章很多,在此就不一一列举了。 Now many articles about the configuration of the firewall, not list them in this. 你也可以参考:http://www.cert.org/tech_tips/packet_filtering.html You can also refer to: http://www.cert.org/tech_tips/packet_filtering.html
重新连接到Internet Reconnect to the Internet
完成以上步骤以后,你就可以把系统连接回Internet了。 After completing these steps, you can connect the system back to the Internet.
升级你的安全策略 Upgrade your security policy
CERT调节中心建议每个站点都要有自己的计算机安全策略。 CERT recommends that each site must adjust center has its own computer security policy. 每个组织都有自己特殊的文化和安全需求,因此需要根据自己的情况指定安全策略。 Each organization has its own special culture and security needs, therefore need to specify the security policy to their own circumstances. 关于这一点请参考RFC2196站点安全手册: ftp://ftp.isi.edu/in-notes/rfc2196.txt On this point, please refer to RFC2196 Site Security Handbook: ftp://ftp.isi.edu/in-notes/rfc2196.txt
一、总结教训 First, the lessons learned
从记录中总结出对于这起事故的教训,这有助于你检讨自己的安全策略。 Conclude from the record the lesson for the accident, which helps you to review their security policies.
二、计算事故的代价 Second, calculate the cost of accidents
许多组织只有在付出了很大代价以后才会改进自己的安全策略。 Many organizations only pay a high price in the future will improve their security policy. 计算事故的代价有助于让你的组织认识到安全的重要性。 Calculate the cost of the accident to help make your organization recognize the importance of safety. 而且可以让管理者认识到安全有多么重要。 And allows security managers to recognize how important.
三、改进你的安全策略 Third, improve your security policy
最后一步是对你的安全策略进行修改。 The final step is to modify your security policy. 所做的修改要让组织内的所有成员都知道,还要让他们知道对他们的影响。 Changes made to make all members of the organization are aware, but also let them know the impact on them.
Tidak ada komentar:
Posting Komentar