[lug] Ancient RH box hacked, which packages must be updated?

Nate Duehr nate at natetech.com
Thu Mar 25 22:48:10 MST 2004 

Zan Lynx wrote:

>On Thu, 2004-03-25 at 18:34, Tkil wrote:
>  
>
>>>>>>>"Bear" == Bear Giles <bgiles at coyotesong.com> writes:
>>>>>>>              
>>>>>>>
>>Bear> The one bright note is that we haven't seen any sign of a
>>Bear> malicious kernel module - once we were aware of a problem we
>>Bear> quickly identified the rogue processes with netstat, lsof and
>>Bear> ps.
>>
>>You're aware that these modules hide themselves, even from "lsmod"?
>>
>>Once a system is compromised, you are far better off starting with a
>>brand new disk (or, if you want to use the same disk, do a full wipe
>>and repartition / reformat.)
>>
>>But maybe I'm just paranoid.
>>
>>    
>>
>
>I would say it is best to reinstall, but if you just can't, here's what
>I recommend:
>
>First, back everything up.  You should have done that anyway.  Don't
>backup only your only set of old media because that might be the only
>set you really want with uncorrupted data on it :-)
>
>Find or download the original install CD-ROM for your installation. 
>Boot from that.
>
>Now from rescue mode, install new rpms for rpm, glibc, kernel, lilo or
>grub and initscripts.  When you do this make SURE you are using the rpm
>installer from the rescue disk, not the rpm binary from the compromised
>system.
>
>Now chroot into your system and use rpm package checksums to verify
>everything.  rpm -Va I think.  Reinstall tripwire's binaries and run
>that.  Investigate anything funny looking.
>  
>
I tend to lean toward the camp that says "reinstall it".  That's the 
absolute best course of action because then you've got full control of 
the process.

However, in either case (the reinstall or the "quick fix 'er upper" job) 
there are some useful forensic tools out there you can use to your 
advantage.  I've successfully used The Coroner's Toolkit (TCT) on two 
occasions to find "interesting" things to investigate.  
http://www.porcupine.org/forensics/tct.html

The undelete stage of something like TCT can eat up mountains of disk 
space, however.  Be forewarned.

And don't mistake any of the "forensic" toolkit descriptions out there 
for actually teaching you to practice or to show you how proper computer 
forensics for admission as evidence to a court of law are done.  There's 
a very limited subset of disk imaging/investigation software that's 
generally well-known and trusted enough to be used for forensic 
evidence-gathering in a legal sense -- and nothing in the open-source 
world is striving to replace any of these commercial applications.

Interesting but extremely time-consuming stuff, computer/data 
forensics.  Best practiced ahead-of-time and in many cases, if you're 
getting paid to do other things (like most sysadmins) you may be 
spending some "quality time" on your own with the old hard disk doing 
analysis that your employer simply won't pay you to do but that you can 
spend your own free-time on.

Nate Duehr, nate at natetech.com

More information about the LUG mailing list