monline

A Debian server of a pal of mine got suspected of being compromised based on some log entries. Since I have not done something like this before, my first thing to do was looking for sources of information on the subject. Here's what I came up with.

• SANS InfoSec Reading Room - Incident Handling
  This is large collection of incident handling publications, there're a couple of interesting ones. I especially recommend the article "Forgetting to Lock the Back Door: A Break-in Analysis on a Red Hat Linux 6.2 Machine" by Gary Belshaw. It seemed to me that this is the only one going into technical details for a linux server.
• Securing Debian Manual, Chapter 11 - After the compromise (incident response)
  and Securing Debian Manual, Chapter 12.2 - My system is vulnerable! (Are you sure?)
• debsums (a Debian package) - Verify installed package files against MD5 checksums.
  Two of the most useful forms of invocation from the manpage:
  
         debsums -l
              List installed packages with no checksums.
       debsums -ca
              List  changed  package  files  from  all installed packages with checksums.
• Dealing with Unix/Linux break-ins
• CERT's Steps for Recovering from a UNIX or NT System Compromise
• Basic Steps in Forensic Analysis of Unix Systems
• Wiretapped - an archive of software and information covering the areas of host, network and information security, network operations, cryptography and privacy
• Forensic Analysis Toolkit (FATKit)
  The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.
• F.I.R.E - a boot CD containing various forensic tools
  The project seems to be dead with a last contribution from 2004.
• Honeynet Project - provides help (articles and tools) for setting up a honeytrap (a server that attracts attackers and forwards all intrusion detection logs to a central server for analysis)
• chkrootkit - a tool for detection of rootkits on linux and Unix systems
  Also available as a Debian package.
• Rootkit Hunter - another rootkit detection tool
  There's only Debian Etch package for it (rkhunter), but no package in Sarge.
• Coroner's toolkit - various forensic tools
  TCT is a collection of programs by Dan Farmer and Wietse Venema for a post-mortem analysis of a UNIX system after break-in.
  Notable TCT components are the grave-robber tool that captures information, the ils and mactime tools that display access patterns of files dead or alive, the unrm and lazarus tools that recover deleted files, and the findkey tool that recovers cryptographic keys from a running process or from files.
  Available in Debian in the tct package.
• The Sleuth Kit (TSK)
  The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that allow you to investigate a computer. The current focus of the tools is the file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS, and ISO 9660 file systems.
  In Debian use the sleuthkit package.
  
  Also check out Brian Carrier's site on Digital Investigation / Forensics and Evidence Research.
  
  Read the paper on Performing an Autopsy Examination on FFS and EXT2FS Partition Images: An Introduction to TCTUTILs and the Autopsy Forensic Browser.
  
  Check out the list of tools using TSK, eg. bootable CDs, tools that integrate The Sleuth Kit, etc.
• Computer Forensics, Cybercrime and Steganography Resources
• The Electronic Evidence Information Center