[F'ups trimmed because I don't read a.w.w. and my newsreader will
puke on it...]
In alt.html Neal said:
Now, how would you handle this scenario in real life? What's the best
approach to follow?
I've actually seen a similar thing.
A client of mine bought a server for co-lo, so we moved their sites to
it from a web hosting provider who was once popular with the esteeemed
folks of this very newsgroup but who shall remain nameless. The former
web host started out by port scanning the new box, but didn't find
anything too exciting or exploitable, and went away. I had hoped that
the port scan would be the end of it.
Some weeks or months later one of my applications on the new server
emailed me several times in a short time, which I took to indicate that
the client was having trouble with something he was doing, so I logged
in on the server and initiated a 'talk' session with him to see if he
needed some help. He was pretty sure that he had it under control, knew
what was wrong with the data he was trying to feed to the app, so I
just hung around for a bit. He came up with a "what if I wanted to do
this?" kind of question, to which I replied he'd have to have root
access to accomplish it. Next thing we know, on both of our terminals,
is the question:
What is the root password?
I KNEW that there was no way this particular guy was going to ask for
it. He's rightfully afraid of being root, because he doesn't have a
clue about administering a Linux machine. So, while I typed out, "You
know I'm not going to give that to you" I picked up the phone and
dialed the guy's home number. His first words were, "I didn't type
that!"
So, while we continued chatting via talk, I did all of the appropriate
checks on the server while I talked him through the installation of
Zone Alarm on the laptop he was using. We quickly discovered that his
laptop had been compromised, and the unauthorized remote host belonged
to that former web hosting provider.
I have no use at all for that former web hosting provider, but I
believe they're smart enough to prevent their own machines from being
cracked. At that time, all of their machines were located on their
premises, so physical access was restricted. I drew the simplest
conclusion... it could be the wrong conclusion, but there have been
other incidents involving other of my clients and different servers
that tend to support it.
What will my host need from me to track down these hackers?
Hopefully, just the time at which you observed evidence of a
compromise. Most compromises are initiated by script kiddies who don't
know quite enough about their targets to effectively cover their
tracks, so there will be evidence of their activity left behind.
A truly skillful cracker will leave no evidence whatsoever, and will
have bounced through so many remote hosts that rooting him out would be
nearly impossible. In a case like that, the system administrator has to
just pull the ethernet cable and start doing forensics to discover the
hole that let the cracker in.
In the end, tracking them down is almost always a pointless exercise,
anyway.
And would
changing the password to something random effectively stop an active
hacker?
It depends upon how the cracker got in, and if he's logged in at the
time. Just changing your password doesn't generally terminate any
active sessions, so if he's logged in at the time when you change your
password, he'll remain logged in. If your system administrator is
involved, he can kill all of the processes running under your user name
to boot the cracker, but that doesn't mean he won't be back.
If your web hosting provider offers you FTP, POP3, a web-based control
panel via HTTP (rather than SSL), or any other service that
authenticates in the clear, then anyone who can sniff the interface can
get into that service. If all of them happen to authenticate against
the same database, or your authentication credentials are the same for
all of them via some other mechanism, anyone who can sniff the
interface can get into all of them. So changing your password will just
make them wait until you use one of those services.
And, finally, if it's your machine that's compromised, nothing your
hosting provider can do will help you. Personally, when I see evidence
that a user's machine is compromised, I firewall it out until it's
fixed, and keep an eye on it for a while after letting it back in.