[lug] R00tKIT!! Raah!
Nate Duehr
nate at natetech.com
Thu Jun 16 00:31:31 MDT 2005
Bear Giles wrote:
> I wouldn't trust checksums since an undetected rootkit may still change
> the results. But I don't think it's hard to reinstall packages. E.g.,
> in Debian it's
>
> # apt-get install --reinstall procps
>
> to reinstall procps. The paranoid would run # apt-get clean first and
> hardcode the ip addresses in /etc/apt/sources.list for the duration.
> You could get a list of every installed package with dpkg -l. Just
> leave the config files as they were. (Although you might want to
> eyeball them anyway.)
The super-paranoid would know it was likely the shell and/or apt-get
itself could be compromised to keep reinstalling garbage or acting like
it was installing and leaving things alone, too.
Checking for all the various possibilities in that viscious cycle is
usually harder than just reloading the box. ;-)
Grabbing a statically-linked shell like sash for this type of event
after booting from something like a live-CD to keep from using ANYTHING
on the compromised system, and not running anything until all it's
dependencies are met with known NEW libraries, etc... is usually a good
step.
It's really hard to do it right and you don't sleep well if you have to
do it and you realize how many things could still be hiding on the box
for your future pleasure.
Nate
More information about the LUG
mailing list