Re: [OT?] Replacing hacked binaries

To: debian-devel@lists.debian.org
Subject: Re: [OT?] Replacing hacked binaries
From: Steve Langasek <vorlon@netexpress.net>
Date: Fri, 1 Dec 2000 17:38:38 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.10.10012011718090.747-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] 20001201095417.A4727@TGR.yi.org>

On Fri, 1 Dec 2000, Jan Martin Mathiassen wrote:

> On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
> > Hi!

> <british accent with accompanying stiff upper lip>
> ullo!
> </british accent with accompanying stiff upper lip>

> > I was wondering, in my thought ramblings, if there was a easy way to
> > replace ALL binaries that are in a installed package with their
> > (hoprfully) original states.   i.e. If a machine was to fall victim to
> > a rootkit attack, how could I effectively re-install all the "debian
> > original" binaries to de-rootkit it?

> okay, say you know you've been hacked, then what?

> as someone else said, what if dpkg and apt-get has been replaced? what if
> some additional executable has been added with root access? what if some of
> your conf files have been modified (anonymous ftp, anyone?)? what if your
> apache server config has been modified, so he has a backdoor?

> no, the best thing to do, really, is to take the whole box offline, figure
> out wtf the dork did, search for a fix ... and reinstall. clean install.
> otherwise, GOD knows what kind of dog droppings the guy left behind (and you
> definitely don't want to step into those :)

Hi Jan,

Just to compare with what's possible on an rpm-using distribution, rpm stores
md5 checksums of all files from all packages in its database.  If you have a
known clean version of this database (possibly from removable media), you can
boot from floppy, drop the clean database back on the drive, and use a known
good copy of rpm (again from the floppy) to verify what's changed.  When you
have a machine that's taken a lot of coddling to get everything installed just
the way you want it, taking the machine off-line for a few hours to do this
can be a lot easier than a reinstall, and if done with care can be just as
effective at cleaning up after a break-in.

Whether or not this is a desirable feature to have in Debian, I don't know.
But I do think it should be said that even though this method isn't for just
anyone, it IS possible to clean up a compromised machine without having to
wipe it out...

Steve Langasek
postmodern programmer

Reply to:

Follow-Ups:
- Re: [OT?] Replacing hacked binaries
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: [OT?] Replacing hacked binaries
  - From: Michael Stone <mstone@debian.org>
- RE: [OT?] Replacing hacked binaries
  - From: "Jan Martin Mathiassen" <debian@TGR.yi.org>
- Re: [OT!] Replacing hacked binaries
  - From: Chad Miller <cmiller@surfsouth.com>

References:
- Re: [OT?] Replacing hacked binaries
  - From: debian@TGR.yi.org (Jan Martin Mathiassen)

Prev by Date: Re: scsiadd - lets you add and remove scsi devices on the fly
Next by Date: Re: [OT?] Replacing hacked binaries
Previous by thread: Re: [OT?] Replacing hacked binaries
Next by thread: Re: [OT?] Replacing hacked binaries
Index(es):
- Date
- Thread