Securing a Compromised System

Steps to secure System

1. The cracker will try to break the root account, by either obtaining root's password, or making a program running as root do bad things. With root, a cracker can do anything!
2. The log files show all of the activity on the system, so the cracker's
   first step after gaining root access is to eliminate them, thereby making themselves invisible.
3. The cracker then installs a backdoor^[1], in case the password on a hacked account is changed. This is accomplished by creating a new user, enabling a normally inactive user, or installing a special server process that allows them to connect again.
4. The local password file, if readable, will be retrieved for offline analysis. Exploits of known problems are available for many "secure" networked password systems that allow intruders to also retrieve the password files of other related machines on the network.
5. The cracker will try to gain direct access to other machines on the network. For example, if passwords are reused across machines, if users can connect among machines without passwords, or if there are other vulnerable services on the network, the cracker can easily break into additional machines.

1. Here is a network of machines.
2. Since security measures have not been implemented, an attacker is able to break into one of the machines.
3. An attacker's work is complete since he has compromised one of the machines on the network, so the hacker exits.
4. All of the machines have been compromised by the break in, possibly causing irreversible damage due to the malicious software installed on the machine.