[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT?] Replacing hacked binaries

On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
> I was wondering, in my thought ramblings, if there was a easy way to
> replace ALL binaries that are in a installed package with their
> (hoprfully) original states.   i.e. If a machine was to fall victim to
> a rootkit attack, how could I effectively re-install all the "debian
> original" binaries to de-rootkit it?

While I'm sure you could work up some script(s) to perform an "apt-get
--reinstall install <package_name>" on all your installed packages, this
won't protect you from a modified apt-get or dpkg (though unlikely), nor
will it let you sleep well at night knowing that there's nothing else
floating around on your system that will run from a cron job or
whatever.  If the system has been r00ted, you really should back up all
your data (or the whole system if you have enough backup space to do so)
and re-install the machine from scratch.  Also perform some inspections
on your old data to see if you can figure out how it was cracked... and
of course try to make sure it doesn't happen again!  :)

P.S. You might want to check out the "debsums" package, it's a nice tool
to have in your collection.

Reply to: