Re: [OT?] Replacing hacked binaries
* Steve Langasek (vorlon@netexpress.net) [001202 00:42]:
> Just to compare with what's possible on an rpm-using distribution, rpm stores
> md5 checksums of all files from all packages in its database. If you have a
> known clean version of this database (possibly from removable media), you can
> boot from floppy, drop the clean database back on the drive, and use a known
> good copy of rpm (again from the floppy) to verify what's changed. When you
> have a machine that's taken a lot of coddling to get everything installed just
> the way you want it, taking the machine off-line for a few hours to do this
> can be a lot easier than a reinstall, and if done with care can be just as
> effective at cleaning up after a break-in.
>
> Whether or not this is a desirable feature to have in Debian, I don't know.
> But I do think it should be said that even though this method isn't for just
> anyone, it IS possible to clean up a compromised machine without having to
> wipe it out...
I did exactly what you discribed here. Ronald (rb@debian.org) hacked a three
line perl script that compared all availabel MD5 sums with the installed
files fully automatical and within minutes. It did not take hours.
However, not all files have md5 sums. and in these missing files enough harm
could be done. And that is even the case for rethad systems.
Reply to: