[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

On Sun, Jun 29, 2003 at 04:16:47PM +0200, Thomas Lamy wrote:
> > Re-installing from scratch would be a real pain... the server 
> > runs on a
> > 3ware array, and has hundreds of users, all active :-/
> IMHO there's only one save way to go after being hacked: reinstall.

Jason, if you're really determined not to do a reinstall, you can first
construct a list of all installed packages, download them from your nearest
mirror, and re-install them with dpkg.  that will fix up the debian packages
but WILL NOT do anything about non-debian binaries that may be on your
system...you'll have to find and fix them by hand.

overall, this is not a good idea - your script-kiddie may be logged in while
you're fixing the machine, silently unfixing it.  that said, i have fixed a few
(remotely-located) boxes this way, to avoid the travel time & expense of going
out to sit at the console to do a complete reinstall.  you do need to be very
skilled (in security issues, general systems admin, and debian systems admin)
before you even consider doing this....definitely NOT recommended for newbies.
actually, it's not recommended for anyone at all.

if you insist on doing this, some important packages & binaries to reinstall
first are netstat, ls, libc6, and procps - i.e. diagnostic tools that you can
run to show what processes are running, what files are in a directory, what
network connections are open etc.  script-kiddies routinely replace these with
compromised versions that try to hide SK activity.

> > Is there any way to verify the Integrity of the files somehow, and
> > download/re-install any binaries that do not match the checksums or
> > something? Does dpkg or some other Debian tool have this ability?
>
> Dunno - rpm has the option of checking md5 sums, but the dpkg manpage isn't
> promising in this regard.

my dlocate package has an md5 checking facility but a) not all debian packages
have md5sum files, and b) debian md5sum files are not signed, so they're easily
compromised by any script-kiddie that cares to bother.  in short, it's a nice
idea but not terribly useful.

e.g.

# dlocate -md5check net-tools
/usr/sbin/arp  OK
/usr/share/man/man5/ethers.5.gz OK
/usr/share/man/man8/arp.8.gz    OK
/usr/share/man/man8/ifconfig.8.gz OK
/usr/share/man/man8/mii-tool.8.gz OK
/usr/share/man/man8/nameif.8.gz   OK
/usr/share/man/man8/netstat.8.gz  OK
/usr/share/man/man8/plipconfig.8.gz OK
/usr/share/man/man8/rarp.8.gz       OK
/usr/share/man/man8/route.8.gz      OK
/usr/share/man/man8/slattach.8.gz   OK
/usr/share/locale/de/LC_MESSAGES/net-tools.mo OK
/usr/share/locale/fr/LC_MESSAGES/net-tools.mo OK
/usr/share/locale/pt_BR/LC_MESSAGES/net-tools.mo OK
/usr/share/locale/et_EE/LC_MESSAGES/net-tools.mo OK
/usr/share/locale/cs/LC_MESSAGES/net-tools.mo    OK
/usr/share/doc/net-tools/README                  OK
/usr/share/doc/net-tools/README.ipv6             OK
/usr/share/doc/net-tools/TODO                    OK
/usr/share/doc/net-tools/copyright               OK
/usr/share/doc/net-tools/changelog.Debian.gz     OK
/sbin/ifconfig                                   OK
/sbin/nameif                                     OK
/sbin/plipconfig                                 OK
/sbin/rarp                                       OK
/sbin/route                                      OK
/sbin/slattach                                   OK
/sbin/ipmaddr                                    OK
/sbin/iptunnel                                   OK
/sbin/mii-tool                                   OK
/bin/netstat                                     OK


craig
Reply to: