[lug] Ancient RH box hacked, which packages must be updated?
Zan Lynx
zlynx at acm.org
Thu Mar 25 18:44:16 MST 2004
On Thu, 2004-03-25 at 18:34, Tkil wrote:
> >>>>> "Bear" == Bear Giles <bgiles at coyotesong.com> writes:
>
> Bear> The one bright note is that we haven't seen any sign of a
> Bear> malicious kernel module - once we were aware of a problem we
> Bear> quickly identified the rogue processes with netstat, lsof and
> Bear> ps.
>
> You're aware that these modules hide themselves, even from "lsmod"?
>
> Once a system is compromised, you are far better off starting with a
> brand new disk (or, if you want to use the same disk, do a full wipe
> and repartition / reformat.)
>
> But maybe I'm just paranoid.
>
I would say it is best to reinstall, but if you just can't, here's what
I recommend:
First, back everything up. You should have done that anyway. Don't
backup only your only set of old media because that might be the only
set you really want with uncorrupted data on it :-)
Find or download the original install CD-ROM for your installation.
Boot from that.
Now from rescue mode, install new rpms for rpm, glibc, kernel, lilo or
grub and initscripts. When you do this make SURE you are using the rpm
installer from the rescue disk, not the rpm binary from the compromised
system.
Now chroot into your system and use rpm package checksums to verify
everything. rpm -Va I think. Reinstall tripwire's binaries and run
that. Investigate anything funny looking.
--
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20040325/36a86baa/attachment.pgp>
More information about the LUG
mailing list