RFC1244 - Page 66

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      snapshot as soon as one suspects that something is wrong.  Many
      incidents cause a dynamic chain of events to occur, and an initial
      system snapshot may do more good in identifying the problem and
      any source of attack than most other actions which can be taken at
      this stage.  Finally, it is important to start a log book.
      Recording system events, telephone conversations, time stamps,
      etc., can lead to a more rapid and systematic identification of
      the problem, and is the basis for subsequent stages of incident
      handling.

      There are certain indications or "symptoms" of an incident which
      deserve special attention:

         o System crashes.
         o New user accounts (e.g., the account RUMPLESTILTSKIN
           has unexplainedly been created), or high activity on
           an account that has had virtually no activity for
           months.
         o New files (usually with novel or strange file names,
           such as data.xx or k).
         o Accounting discrepancies (e.g., in a UNIX system you
           might notice that the accounting file called
           /usr/admin/lastlog has shrunk, something that should
           make you very suspicious that there may be an
           intruder).
         o Changes in file lengths or dates (e.g., a user should
           be suspicious if he/she observes that the .EXE files in
           an MS DOS computer have unexplainedly grown
           by over 1800 bytes).
         o Attempts to write to system (e.g., a system manager
           notices that a privileged user in a VMS system is
           attempting to alter RIGHTSLIST.DAT).
         o Data modification or deletion (e.g., files start to
           disappear).
         o Denial of service (e.g., a system manager and all
           other users become locked out of a UNIX system, which
           has been changed to single user mode).
         o Unexplained, poor system performance (e.g., system
           response time becomes unusually slow).
         o Anomalies (e.g., "GOTCHA" is displayed on a display
           terminal or there are frequent unexplained "beeps").
         o Suspicious probes (e.g., there are numerous
           unsuccessful login attempts from another node).
         o Suspicious browsing (e.g., someone becomes a root user
           on a UNIX system and accesses file after file in one
           user's account, then another's).

      None of these indications is absolute "proof" that an incident is



Site Security Policy Handbook Working Group                    [Page 66]