Re: [OT!] Replacing hacked binaries
I apologise if the following offends with its strong wording, but I'm
trying to make a point that one shouldn't take lightly.
> On Fri, 1 Dec 2000, Jan Martin Mathiassen wrote:
> > okay, say you know you've been hacked, then what?
Reinstall. Always.
> > as someone else said, what if dpkg and apt-get has been replaced? what if
> > some additional executable has been added with root access? what if some of
> > your conf files have been modified (anonymous ftp, anyone?)? what if your
> > apache server config has been modified, so he has a backdoor?
And these are just applications. Suppose the kernel's been changed.
Suppose the boot loader loads your new friend's kernel and not your own,
which hides /.foo/bin/blah, which is what's really executed when you think
you ask your shell to ask the kernel to fork a processess and exec
/bin/blah .
Suppose there's some other more ingenious method that the script-kiddie
uses to own your box, and it's not the obvious bootloader + kernel
replacement, but an even better one that running LILO won't fix.
> > no, the best thing to do, really, is to take the whole box offline, figure
> > out wtf the dork did, search for a fix ... and reinstall. clean install.
> > otherwise, GOD knows what kind of dog droppings the guy left behind (and you
> > definitely don't want to step into those :)
Jan knows of what he speaks, here.
Now, consider checksums...
On Fri, Dec 01, 2000 at 05:38:38PM -0600, Steve Langasek wrote:
> Just to compare with what's possible on an rpm-using distribution, rpm stores
> md5 checksums of all files from all packages in its database. If you have a
> known clean version of this database (possibly from removable media), you can
> boot from floppy, drop the clean database back on the drive, and use a known
> good copy of rpm (again from the floppy) to verify what's changed. [...]
Checksums are good to find files that have changed on a trusted system.
They have nothing to do with security. When your box has been cracked,
_you can trust nothing._ Ever. Really.
Yes! you can boot with a floppy, and run your checksummer to verify that
files have the same sum as the .deb expects. Is that /usr/bin/od what's
run when you type it? Is it? Sure?
Security people should know Descartes' problem. (Evil genius controlling
senses... only sure of existence of self... etc.)
> Whether or not this is a desirable feature to have in Debian, I don't know.
> But I do think it should be said that even though this method isn't for just
> anyone, it IS possible to clean up a compromised machine without having to
> wipe it out...
It might be desirable, but don't mention security WRT it. That'll lead
to sloppy thinking and sloppy security. In fact -- explicitly warn
people away from using it for security purposes.
Having seemingly badmouthed this proposal, let me say I support it.
Checksums _are_ useful if one thinks that on a trusted system, the
packaging is borken by some (e.g.) ex-slackware admin. It's poison,
otherwise.
Everyone take a gander at Ken Thompson's article in the ACM Classics.
google: "Ken Thompson" login compiler
- chad
--
Chad Miller <cmiller@surfsouth.com> URL: http://web.chad.org/ (GPG)
"Any technology distinguishable from magic is insufficiently advanced".
First corollary to Clarke's Third Law (Jargon File, v4.2.0, 'magic')
Reply to: