Re: [OT?] Replacing hacked binaries
On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
>
> Hi!
>
> I was wondering, in my thought ramblings, if there was a easy way to
> replace ALL binaries that are in a installed package with their
> (hoprfully) original states. i.e. If a machine was to fall victim to
> a rootkit attack, how could I effectively re-install all the "debian
> original" binaries to de-rootkit it?
What I do is to make a number of separate partitions. My third rule is:
Any local data you have on the machine should be separate. (I used to say
(from my RedHat days) anything that I would want to save if you had to
completely reinstall the box.)
Every week, I back up these non-Debian partitions. In addition, I back up
/etc and a package list, using dpkg --get-selections.
>From this, I can reconsitute a machine relatively quickly. Boot and install
the base system, stop dselect, then reload the previous packages using
dpkg --set-selections
apt-get --dselect-upgrade
and tweak to your liking.
You almost never want to risk trying to patch a rootkit attack. It is too
easy to miss a hidden sniffer or back door.
--
--Brad
============================================================================
Bradley M. Alexander, CISSP | Co-Chairman,
Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG
Debian Developer | storm@debian.org
(703) 889-1049 | storm@tux.org
============================================================================
A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again.
--Rules of the Air, #8
Reply to: