Recovering Compromised Systems

Because of the difficulty in being sure all backdoors are closed, a compromised system should be rebuilt from scratch - even restoring from a backup may simply restore the compromising code.

These CERT publications are very useful:

If a computer has been compromised, all the tools and data on that computer that you may want to use to determine the integrity of the machine are suspect. Sophisticated tools, commonly referred to as root-kits, are widely available. They replace all the commands a person would use to investigate a Unix machine. Similar kits exist and are  refined for Windows machines.

A careful and sophisticated system cracker will not leave any evidence for you to find. Others may leave traces that may be picked up, but you will need to be familiar with the operation and layout of your particular system. Since most computers nowadays have tens of thousands of files and multiple running processes that vary widely during operation, this can be a complex and tedious process. It's like finding a needle in a haystack. The cracker only has to plant one needle to get into your system and you have to examine every straw. If you're using your system to look at the straws, there is a chance that the cracker can effectively force you to wear rose-coloured glasses causing you to miss the needle. That said, relatively unsophisticated individuals do many compromises, by random execution of mass produced hostile code, and/or on untargeted computers. In those cases, the compromises leave readily identifiable fingerprints for us to find.

Some areas to be checked are:

Windows machines

  • First confirm that:
    • the user account logged into the system for everyday use does NOT have administrative privileges
    • the operating system is still supported and has all available patches installed
    • automatic updates are enabled
    • all software patches are installed (ie: Java, Adobe products etc)
    • Antivirus software is installed, active and up-to-date
  • List open sockets and network programs - TCPViewPro, FProt, NetStat
  • Antimalware tools (ie: Malware Bytes) can detect known remote control trojans
  • Desktop firewalls can be used to restrict or allow incoming or outgoing applications as appropriate.
  • List running processes - task list, process explorer from SysInternals
  • Startup files (windows registry/ win.ini/ system.ini/ autoexec/ startup folders - tools like Startup Cop and msconfig make this easier) to see what processes are being started at boot time
  • Windows file shares
  • Anti-virus tools  (Norton and BOClean) can detect known remote control trojans
  • Desktop firewalls can tell you what network activity they're seeing. Windows desktop firewalls may tell you what applications are accessing the network
  • Additional instructions on detecting remote control trojans on Windows machines
  • NT AT entries to see what regularly scheduled processes are being run
  • Windows file shares

Unix-like machines

  • List running processes - ps command
  • The chkrootkit tool will detect some rootkits
  • List open sockets and network programs - Netstat -an {p}, lsof
  • Desktop firewalls can tell you what network activity they're seeing.
  • Access logs to see what systems have accessed your system.
  • Audit logs if you have auditing turned on.
  • Unix shell histories.
  • Startup files - Unix inittab/ rc/ inetd - to see what processes are being started at boot time.
  • Unix crontab entries to see what regularly scheduled processes are being run.
  • Unix .rlogin files, particularly the one for root.
  • Unix NFS file shares

Mac machines

There are two basic ways to determine what your system is doing independently of the system itself:

  1. Analyze network traffic to and from your machine with an external protocol analyzer or firewall logs. This is not a practical option for most system owners and won't detect actions by locally logged on operators. Compare the contents and attributes of the files on your computer with the contents and attributes of the files that are supposed to be there. This requires advance preparation. Tools like Tripwire will allow you to compute file information for files on your computer. These should be stored off the computer to be used for later comparisons.

  2. Scripts can compare the information nightly and alert you if something has changed. However, you must be aware of which files change during the normal course of operating your computer and adjust your monitoring and reaction accordingly. 

Files that should be checked include at a minimum:

Windows machines

  • Windows registry entries, win.ini, system.ini, autoexec, and startup folders
  • System and root path variable settings.
  • Windows \windows and system folders containing system DLLs.
  • Command folder.
  • Windows operating system images and loaders.
  • System and administrator path variable settings.
  • Security and audit information
  • Windows event log configuration, audit configuration
  • Critical services
  • Windows AT configuration, web server configuration, file sharing configuration

Unix-like machines

  • Startup files Unix RC files, inittab, shell profiles, and inetd.conf
  • System binaries Unix bin, etc, and lib directories.
  • Unix operating system image and loaders.
  • System and root path variable settings.
  • System and administrator path variable settings
  • Security and audit information
  • Unix syslog configuration, ipchains configuration, audit configuration, tcpwrappers configuration
  • Unix cron configuration, web server configuration, NFS configuration, FTP server configuration, etc.
  • Red Hat Linux has a utility called RPM that can be used to check the installed files against prepared packages available from the vendor's web site or from CDROM distribution media.

OSX machines

There is a commercial version of Tripwire that will run on Windows OSes. Many other commercial tools are also available such as Axent's ESM. Dr. Solomon's anti-virus product included a tool called viverify that could be used to perform the same task.

Useful sites

The following sites can be useful as they provide tools and resources for troubleshooting and forensic analysis.

Published on  and maintained in Cascade CMS.