Re: [OT?] Replacing hacked binaries
On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
> I was wondering, in my thought ramblings, if there was a easy way to
> replace ALL binaries that are in a installed package with their
> (hoprfully) original states. i.e. If a machine was to fall victim to
> a rootkit attack, how could I effectively re-install all the "debian
> original" binaries to de-rootkit it?
What I do is to make a number of separate partitions. My third rule is:
Any local data you have on the machine should be separate. (I used to say
(from my RedHat days) anything that I would want to save if you had to
completely reinstall the box.)
Every week, I back up these non-Debian partitions. In addition, I back up
/etc and a package list, using dpkg --get-selections.
>From this, I can reconsitute a machine relatively quickly. Boot and install
the base system, stop dselect, then reload the previous packages using
and tweak to your liking.
You almost never want to risk trying to patch a rootkit attack. It is too
easy to miss a hidden sniffer or back door.
Bradley M. Alexander, CISSP | Co-Chairman,
Beowulf System Admin/Security Specialist | NoVALUG/DCLUG Security SIG
Debian Developer | email@example.com
(703) 889-1049 | firstname.lastname@example.org
A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again.
--Rules of the Air, #8