[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

Jason Lim:> Hi Russell,
> Well, SE Linux certainly seems like something that needs to 
> be installed.
> Most annoying is that all the recent security updates were 
> already done!
> The user CGIs run as the user's UID... suexec.
Consider to chroot apache, and keep available binaries to a minimum.
> Re-installing from scratch would be a real pain... the server 
> runs on a
> 3ware array, and has hundreds of users, all active :-/
IMHO there's only one save way to go after being hacked: reinstall.
While you are re-installing (on another machine), limit the traffic to this
machine to port 80 only, and either do web site updates yourself and/or
refuse them totally until you have a replacement up and running.
> Is there any way to verify the Integrity of the files somehow, and
> download/re-install any binaries that do not match the checksums or
> something? Does dpkg or some other Debian tool have this ability?
Dunno - rpm has the option of checking md5 sums, but the dpkg manpage isn't
promising in this regard.
> If just a list of packages could be shown that do not match what is
> actually on the disk, those could be re-downloaded and 
> re-installed, so at
> least the system can start working (right now, just typing 
> "gcc" produces
> garbage on the screen, no doubt because some libraries have been
> replaced).
Check the packages that get installed in debootstrap (perhaps you could just
exactly do that in a sperate tree/partition), and download and install them
manually. This should get at least login, libc et al overwritten with proper
binaries. If you choose to run debootstrap on a sperate partition (or
machine), you may have to write a little script to gather md5sums for the
fresh install, and compare to the hosed machine.
> Is there any tool that could search the system for root suid 
> scripts (so
> the hacker can login again and gain root easily)?

chkrootkit. Get it from http://www.chkrootkit.org/


Reply to: