Incident ======== * We had a root compromise on apollo.honeyp.edu! The system is now offline and is now being examined. * The time of exposure was between 2000-11-08 14:48:15+00 and 2000-11-09 *:*:00+00 (The challenge did not provide a time when this box was taken offline!) * There were a lot of sniffing and monitoring tools installed on the system. But so far we have only evidence that a network sniffer and a trojaned sshd were activated. * The used tools do not look as this was a very high profile intruder. !! All user/passwords in this LAN segment may be compromised!! !! All user/passwords from users who used ssh/scp to appolo.homeyp.edu during that time ARE compromised!! Next Steps (reasonable paranoid): =========== * Do NOT change passwords yet! (There may be other compromised boxes!) 1. Check all the Linux boxes if they are compromised. (Use the evidence.txt as example on what to look for) Use private copies of the system commands (ls, find, ps, top etc) 1.1. If another compromised box is found 1.1.1. -> REPORT to 1.1.2. Take it offline whenever possible. 1.1.3. Wait for with the next steps. 1.2. If this box was lucky. (Do the following from the (text!) console or a trusted remote system. Do NOT consider X11 as save unless you're on a trusted system with tight security settings!) 1.2.1. Patch it to the current patch level & install a trusted sshd and tcp wrapper(if not yet used). 1.2.2. Disable all unneeded services (ftp, telnet, rlogin, rsh as well, replaced by sshd) and install tight tcpd permissions for everything else. 1.2.3. Leave the box and slogin from a trusted system. Change or lock all the passwords on the system. 2. Check all the other boxes for signs of a compromise. This attacker had Linux systems as primary targets but this does not mean that other systems may not be compromised. 2.*. Follow the needed steps as outlined in 1.[12]. 3. Change or lock all the remaining passwords. 4. Create and/or enforce a prober security policy. 5. Name designated security observers for all used OS's. 6. Report to . will write a final report after that incident.