[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Verify programs



hi bas

On Mon, 25 Aug 2003, Bas Benschop wrote:

> Hello,
> 
> This weekend several systems at our site were hacked. In /var/spool/.test/
> several programs were installed, log, pscan, x and xscan.

do you mind saying which "versions" they broke into

do you mind saying how you think they got in ??


> Also some system utilities were replaced with older versions. Is it
> possible to check the versions of programs and compare them with the
> versions in the package database?

unless you were running tripwire, aide, and other filesystem checker,
it'd be a lot of work to check the integrety

do you have other identical systems to check against ?? 

easiest way:
	new box#  rebuild a new deb box from scratch
		-- put in a new disk is best way ... and start to build
		a new debian install

	hacked box#  dpkg --get-selections > /mnt/floppy/installed.list

	new box#  dpkg --set-selections < /mnt/floppy/installed.select
	new box#  ls -laR /bin /sbin /lib /usr/sbin /usr/bin
		/usr/local/bin /usr/local/sbin /usr/local/lib 
		.. other stuff you wanna check ..

		you can do all the md5sum stuff too but too much work 
		and a lot slower

	compare the results with a clean "diff" on the new box and the
	hacked box and reinstall the affected packages
		- check the libraries
		- check the /sbin /usr/sbin binaries
		- check the /bin /usr/bin binaries
		- check /usr/local
		- endless and daily checking ..

	hacked box#  apt-get dist upgrade
	hacked box#  apt-get update
	hacked box#  apt-get upgrade


- burn a cdrom of a brand-new disk before it goes live on the net
  so that oyu always have a basis to compare against

- gazillion ways to "verify" the systems
	
c ya
alvin



Reply to: