Re: [OT?] Replacing hacked binaries

To: debian-security@lists.debian.org
Subject: Re: [OT?] Replacing hacked binaries
From: Jim Breton <jamesb-debian@alongtheway.com>
Date: Fri, 1 Dec 2000 06:02:25 +0000
Message-id: <[🔎] 20001201060225.A26410@alongtheway.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20001130233809.D6078@chaos.cns.uni.edu>; from janssen@chaos.cns.uni.edu on Thu, Nov 30, 2000 at 11:38:09PM -0600
References: <20001130233809.D6078@chaos.cns.uni.edu>

On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
> I was wondering, in my thought ramblings, if there was a easy way to
> replace ALL binaries that are in a installed package with their
> (hoprfully) original states.   i.e. If a machine was to fall victim to
> a rootkit attack, how could I effectively re-install all the "debian
> original" binaries to de-rootkit it?


While I'm sure you could work up some script(s) to perform an "apt-get
--reinstall install <package_name>" on all your installed packages, this
won't protect you from a modified apt-get or dpkg (though unlikely), nor
will it let you sleep well at night knowing that there's nothing else
floating around on your system that will run from a cron job or
whatever.  If the system has been r00ted, you really should back up all
your data (or the whole system if you have enough backup space to do so)
and re-install the machine from scratch.  Also perform some inspections
on your old data to see if you can figure out how it was cracked... and
of course try to make sure it doesn't happen again!  :)

P.S. You might want to check out the "debsums" package, it's a nice tool
to have in your collection.

Reply to:

Next by Date: Re: Debian Security-HOWTO
Next by thread: Re: [OT?] Replacing hacked binaries
Index(es):
- Date
- Thread