Re: Security: system reboot?

To: Qian Gong <q.gong@tue.nl>
Cc: debian-user@lists.debian.org
Subject: Re: Security: system reboot?
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Mon, 20 Jan 2003 03:48:55 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1030120033828.16150A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20030120111302.GA373@tue.nl>

hi ya qian

On Mon, 20 Jan 2003, Qian Gong wrote:

> On Mon, Jan 20, 2003 at 11:11:00AM +0100, DEFFONTAINES Vincent wrote:

...

> > If you cannot find why your system rebooted, worry about it ; it might
> > reveal a serious security compromission.
> > You should check your system binaries with md5sum against a system you know
> > is clean.
> > And if I were you, I wouldn't give up until I find why the system rebooted,
> > or I would reinstall it and (re)secure it.
>
> I checked all the log files in /var/log. There is nothing strange in
> these files. Before the strange rebooting, there were only three
> services, ssh, smtp, and printer. The system "should" be secure.

how do you know you didnt miss something obvious ??
 
how do you know if there wasn't a simple power glitch ???
	- if this was the only server affected... you've got a problem

	- if other PCs was also rebooted at exactly the same time
	or within a few seconds/minutes due to its ups dying...
	than it could be a power failure ??

what commands did you run and how did you run the commands to "check these
files" ???
	all commands are suspect bad cmmands, designed to hide the
	intruder unless oyu can verify w/ 100% certainty its a clean
	binary and its associated libs

> At that time when rebooting, I was using scp, copying files from the woody 
> box. I got an "stall" message at the client machine because of the reboot 
> of server.
> 
> By the way, what is the best way to gather information about system
> reboot? I am not willing to believe the system is compromised but I have
> to make sure it is not. Thanks a lot.

-- hire a local security guru to come and look into yoour server
	- or ssh into it for you to poke around

-- make a copy of the existing suspect system ... 
	or use a fresh disk and reinstall ( very painful process )

	- reinstalling will NOT help if you do NOT know how they got in,
	who got in, when they got in, why they got in

-- install ckroot and other rootkit detectors
	- apt-get update and apt-get upgrade

	- verify the md5 of each binary that is important
	( bash, find, ps, ls, wget, lynx, crypt, ...
	( apt-get,


-- lots of testing and reviews to do to cleear any syspect binaries
	- if you dont know what the md5sum is supposed to be for
	each binary... consider this a "wakeup call" and protect
	your server better against future problems like this

	- lots to do to tighten the server better

	- how do you know the backup that you have does NOT also
	contain the hackers tools .. that upon reinstall from backup,
	that you dont inadvertantly reinstall the hackers tools too

c ya
alvin

Reply to:

Follow-Ups:
- Re: Security: system reboot?
  - From: Qian Gong <q.gong@tue.nl>

References:
- Re: Security: system reboot?
  - From: Qian Gong <q.gong@tue.nl>

Prev by Date: Re: Security: system reboot?
Next by Date: Re: CD difficult to burn
Previous by thread: Re: Security: system reboot?
Next by thread: Re: Security: system reboot?
Index(es):
- Date
- Thread