Re: Server hacked - next...?
On Sun, 29 Jun 2003 23:47, Jason Lim wrote:
> Re-installing from scratch would be a real pain... the server runs on a
> 3ware array, and has hundreds of users, all active :-/
>
> Is there any way to verify the Integrity of the files somehow, and
> download/re-install any binaries that do not match the checksums or
> something? Does dpkg or some other Debian tool have this ability?
"dpkg --get-selections" will give you a list of installed packages.
The thing to do is to boot from a CD-ROM to do all the work (otherwise you are
using potentially trojaned executables), and resist the temptation to chroot
to the hacked FS.
You can then backup /etc (make sure you don't preserve any SETUID binaries and
check all the security related files for correct contents) and blow away the
root fs. Then you can do a Debian install and use dpkg --set-selections to
install the right packages.
> If just a list of packages could be shown that do not match what is
> actually on the disk, those could be re-downloaded and re-installed, so at
> least the system can start working (right now, just typing "gcc" produces
> garbage on the screen, no doubt because some libraries have been
> replaced).
Not all packages support this.
> Is there any tool that could search the system for root suid scripts (so
> the hacker can login again and gain root easily)?
find allows this.
Make sure you change all passwords.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: