These are outline steps are based on the references in the cross platform section of the resource list below.
- Please make sure that you have reported the incident to CamCERT and to any appropriate local staff.
- Disconnect the system from the network, if you have not already done so. Do not switch it off or reboot it because valuable evidence can be lost.
- If you can, make a backup of the system to preserve a snapshot of the state prior to re-installation - useful in case you forget to copy something you later need, and for evidential purposes (if needed).
- Determine the extent of the compromise. Check log files and configuration files; look for modifications made to files, for ports left open and for tools and data left behind by the intruder(s).
- If possible, determine how the compromise occurred as there's not much point in rebuilding a system exactly as it was before - it will only be compromised again…
- Are there trust relationships with other systems, which may lead to these other machines also being compromised? For example, do you have other machines with the same configuration? Do users have the same passwords on several systems? Has the attacker gathered information about other systems, e.g. from probes, sniffers or keystroke loggers? If you are in doubt about any other system, then investigate that too, or inform the system manager if it is not a machine for which you are responsible.
- Install a clean version of the operating system and apply the latest patches. Most standard installations leave a number of holes, so applying patches and anti-virus software before the machine is reconnected to the network is vital.
- Turn off unnecessary services. For example, don't leave mail, web and ftp servers running if they're not essential. Many services are likely to be installed by default and together these can make a machine vulnerable to a significantly greater range of threats.
- Make sure the services you do need are configured properly and securely.
- If you have preserved any file systems (for example user home directories), check that these do not contain malicious or trojan code.
- Change all passwords. Explain to your users why this has been done - you don't want them to change them back again. If they've used the same passwords elsewhere they should change those as well. Encourage the use of strong passwords. For Windows systems note that Microsoft encourages the use of pass phrases as these are, if well chosen (and "This is my passphrase" is not well chosen!), less vulnerable to attack. Passphrases are often easier to remember than a long (10 characters or more) password.
- Make sure there is a routine for maintaining the machine. Regularly check for, and install patches to operating system and applications - where possible, set this to happen automatically.
- Use 3rd party tools to enhance baseline security. While no tool can guarantee that it will prevent compromise these tools can help keep an eye on your system, for example integrity checkers can verify files to ensure they have not been subverted.
Make contingency plans (ideally before you have a problem - it's much easier to come up with a coherent and sensible strategy if you're not trying to firefight at the same time!).
As with the resources mentioned in the section on documentation, including good practice, this is not a complete list, merely a few useful links.
- Steps for Recovering from a UNIX or NT System Compromise by CERT/CC and AusCERT (Australian Computer Emergency Response Team), described as "an historic document" but still has useful tips
- The Sleuth Kit (successor to The Coroner's Toolkit.
- Windows Support's Coping with Unknown Worms, Trojans and Rootkits, which also has links to several very useful tools and utilties for use in examining compromised Windows systems.
- UCL's Computer Security team have a document on Checking Microsoft Windows Systems for Signs of Compromise (PDF)
- AusCERT's Windows Intrusion Detection Checklist
- Task List Programs from Answersthatwork.com.
- The WinTasks Process Library.
- UCL's Computer Security team have a document on Checking Unix/Linux Systems for Signs of Compromise (PDF)
- UNIX Intruder Detection Checklist from AusCERT (quite old but still useful).
- "Root Kits" and hiding files/directories/processes after a break-in by Dave Dittrich (again, quite old but useful).
Last updated: June 2013 (fixed outdated link)