Malaysian Computer Emergency Response Team

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2012

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

Resources

Technical Notes Nationals CERTs Tools

Instrusion

It is in which attempts made for unauthorized access to a system with the purpose of simply to test the security of the network, use the facility as a launching pad for further attacks on other systems, to modify information or to steal information, etc.

Problem:

Intrusion is committed by gaining initial access to a particular host by discovering a password for a user account on the system. The intruders will then attempt to become root on the compromised system. Intruders are actually committing the following activities:

Sniffer Attacks - capturing data as it traverses the net
E-mail attacks - gaining system access through vulnerabilities in network service software
Network File System attacks - gaining data access through vulnerabilities in operating system software
Network Infrastructure attacks - denial of service through attacks on routers and name servers, i.e. for purpose of impersonating the server
IP spoofing attacks - gaining system access by tunneling through firewalls
WWW threats - gaining users or system information through the web or cgi programs.

Solutions:

Report the intrusion to your Internet Service Provider

The report should include the following:
- The originating IP address
- Timestamp with the exact time zone, i.e. GMT, PDT, MYT
- Brief description on the method used in the activit

Check your systems for signs of intrusion due to this incident.

Check the su, ftpd, and ftp binaries (for example, "/bin/su", "/usr/ucb/ftp" and "/usr/etc/in.ftpd" on Sun systems) against copies from distribution media.
Check for the presence of any of the following files: "/usr/etc/..." (dot dot dot), "/var/crash/..." (dot dot dot), "/usr/etc/.getwd", "/var/crash/.getwd", or "/usr/kvm/..." (dot dot dot).
Check for the presence of "+" in the "/etc/hosts.equiv" file.
Check the home directory for each entry in the "/etc/passwd" file for the presence of a ".rhosts" file containing "+ +" (plus space plus).
Search the system for the presence of the following set-uid root files: "wtrunc" and ".a".
Check for the presence of the set-uid root file "/usr/lib/lpx".
You may refer to the following URL for further intrusion detection checklist:

http://www.cert.org/tech_tips/intruder_detection_checklist.html

Take the following steps to secure your systems.
- Save copies of the identified files to removable media.
- Replace any modified binaries with copies from distribution media.
- Remove the "+" entry from the "/etc/hosts.equiv" file and the "+ +" (plus space plus) entry from any ".rhosts" files.
- Remove any of the set-uid root files that you find, which are mentioned in A5 or A6 above.
- Change every password on the system.
- Inspect the files mentioned in A2 above for references to other hosts.
- You may also go the following site for further information on steps for recovering from a UNIX root compromise:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Back