CSI
From Wsms
I made a DVD with the files from the server that was hacked.
Contents |
how the DVD was made
copy files from the server to a laptop
The first problem was to get the data off of the old server without letting the server run any hacked programs. To do this I used Knoppix, version 5.0.1 DVD, to boot the server. I attached power, keyboard, video and a mouse to the server. Note that I did not put the server on the network. I connected it to my laptop using a single Cat-6 crossover cable.
The next step was to boot Knoppix using the "knoppix nodhcp" cheatcode. As it happened, Knoppix, the server's video card and the monitor didn't get along well enough to run X windows. This is the first computer-monitor combination that I've encountered that will not run Knoppix with X windows. So I rebooted, again to Knoppix, with the "knoppix 2 nodhcp" cheatcode which provides a virtual terminal command-line interface. Fortunately, the Knoppix DVD includes emacs, because I had to use it to modify /etc/network/interfaces so that the ethernet connection could be brought up. This is the contents of modified /etc/network/interfaces:
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8) # The loopback interface # automatically added when upgrading auto lo iface lo inet loopback iface eth0 inet static address 192.168.2.2 netmask 255.255.255.0
By default, Knoppix uses dhcp at boot time to configure the network interfaces. I had to configure the interface manually because no dhcp server was available. Knoppix is based on the Debian distribution, and some of the options an configuration files have different names than you may be used to with Fedora. Specifically, Fedora's doesn't have a /etc/network/interfaces file. It has the same type of information stored elsewhere in the /etc directory.
Knoppix doesn't modify what's on the machine's hard disk unless you tell it to. The modified /etc/network/interfaces file is actually stored in RAM. This allows us to run the computer, mount the hard disk read-only, and copy over the files without booting from the hard disk itself and running possibly comprimised programs.
Then I brought up the servers ethernet interface with:
# ifup eth0
Next I ran the vgscan command to list the logical volume groups that the server was using
root@1[knoppix]# vgscan Reading all physical volumes. This may take a while... Found volume group "VolGroup00" using metadata type lvm2
And the vgchange command to activate the logical volume groups
root@1[knoppix]# vgchange -a y 2 logical volume(s) in volume group "VolGroup00" now active
Use lvs to get a listing of the active logical volume groups
root@1[knoppix]# lvs LV VG Attr LSize Origin Snap% Move Log Copy% LogVol00 VolGroup00 -wi-a- 73.41G LogVol01 VolGroup00 -wi-a- 992.00M
make a mount point
root@1[knoppix]# cd /mnt root@1[knoppix]# mkdir lv0
mount the logical volume for the server root
root@1[knoppix]# mount -o ro /dev/VolGroup00/LogVol00 lv0/
mount the server's /boot partition
root@1[knoppix]# mount -o ro /dev/hda1 hda1
copy the server's /boot partition to my laptop
root@1[knoppix]# rsync -av /media/hda1 192.168.2.13:/mnt/hda6/rop-hacked/
You have to use /media/hda1 instead of /mnt/hda1 because of the silly way recent versions of Knoppix handle volumes that are detected on bootup.
Copy the files from the server's root partition
root@1[knoppix]# rsync -av lv0 192.168.2.13:/mnt/hda6/rop-hacked/
Copy the files from my laptop to my desktop
I went home and plugged my laptop into my network. Then from my desktop machine:
# cd /mnt/sda9 # rsync -av harrison:/mnt/hda6/rop-hacked .
create and burn the DVD with mkisofs and k3b
mkisofs is the Linux command to create an iso image from a bunch of files
# mkisofs -V rop-hacked -r -iso-version 4 -o rop-hacked.iso rop-hacked
k3b is a gui-based program that can, among a lot of other things, create a CD from an ISO image. I might post some screen dumps here someday
analysis
I copied the files from the DVD to my VM.
[root@ws05 ~]# mkdir rop-hacked [root@ws05 ~]# cd rop-hacked [root@ws05 rop-hacked]# cp -rp /media/rop-hacked/* .
It gave a bunch of error messages. I'll have to try it on a real Linux machine at home.
more analysis
Today (Wednesday December 6, 2006) I copied the files back to my laptop. I did:
# chroot /mnt/hda6/rop-hacked/lv0 # cp -rp ../hda1/* boot # chroot /mnt/hda6/rop-racked/lv0 # rpm -Va
I looks like everything is showing up a ".M...U.." I'm not sure how useful that is.
