[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

On Sun, 29 Jun 2003 23:47, Jason Lim wrote:
> Re-installing from scratch would be a real pain... the server runs on a
> 3ware array, and has hundreds of users, all active :-/
> Is there any way to verify the Integrity of the files somehow, and
> download/re-install any binaries that do not match the checksums or
> something? Does dpkg or some other Debian tool have this ability?

"dpkg --get-selections" will give you a list of installed packages.

The thing to do is to boot from a CD-ROM to do all the work (otherwise you are 
using potentially trojaned executables), and resist the temptation to chroot 
to the hacked FS.

You can then backup /etc (make sure you don't preserve any SETUID binaries and 
check all the security related files for correct contents) and blow away the 
root fs.  Then you can do a Debian install and use dpkg --set-selections to 
install the right packages.

> If just a list of packages could be shown that do not match what is
> actually on the disk, those could be re-downloaded and re-installed, so at
> least the system can start working (right now, just typing "gcc" produces
> garbage on the screen, no doubt because some libraries have been
> replaced).

Not all packages support this.

> Is there any tool that could search the system for root suid scripts (so
> the hacker can login again and gain root easily)?

find allows this.

Make sure you change all passwords.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: