Re: [OT?] Replacing hacked binaries
On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
> Hi!
<british accent with accompanying stiff upper lip>
ullo!
</british accent with accompanying stiff upper lip>
> I was wondering, in my thought ramblings, if there was a easy way to
> replace ALL binaries that are in a installed package with their
> (hoprfully) original states. i.e. If a machine was to fall victim to
> a rootkit attack, how could I effectively re-install all the "debian
> original" binaries to de-rootkit it?
okay, say you know you've been hacked, then what?
as someone else said, what if dpkg and apt-get has been replaced? what if
some additional executable has been added with root access? what if some of
your conf files have been modified (anonymous ftp, anyone?)? what if your
apache server config has been modified, so he has a backdoor?
no, the best thing to do, really, is to take the whole box offline, figure
out wtf the dork did, search for a fix ... and reinstall. clean install.
otherwise, GOD knows what kind of dog droppings the guy left behind (and you
definitely don't want to step into those :)
--
-m
When you are having a bad day, and it seems like everybody is trying to piss
you off, remember that it takes 42 muscles to produce a frown, but only 4
muscles to work the trigger of a good sniper rifle.
Reply to: