[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT?] Replacing hacked binaries

On Thu, Nov 30, 2000 at 11:38:09PM -0600, Michael Janssen (CS/MATH stud.) wrote:
> Hi!
> I was wondering, in my thought ramblings, if there was a easy way to
> replace ALL binaries that are in a installed package with their
> (hoprfully) original states.   i.e. If a machine was to fall victim to
> a rootkit attack, how could I effectively re-install all the "debian
> original" binaries to de-rootkit it?

What I do is to make a number of separate partitions. My third rule is:

Any local data you have on the machine should be separate. (I used to say 
(from my RedHat days) anything that I would want to save if you had to 
completely reinstall the box.)

Every week, I back up these non-Debian partitions. In addition, I back up
/etc and a package list, using dpkg --get-selections. 

>From this, I can reconsitute a machine relatively quickly. Boot and install
the base system, stop dselect, then reload the previous packages using 

dpkg --set-selections
apt-get --dselect-upgrade

and tweak to your liking.

You almost never want to risk trying to patch a rootkit attack. It is too
easy to miss a hidden sniffer or back door.

Bradley M. Alexander, CISSP              |   Co-Chairman,
Beowulf System Admin/Security Specialist |    NoVALUG/DCLUG Security SIG
Debian Developer			 |   storm@debian.org
(703) 889-1049                           |   storm@tux.org
A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again.
					--Rules of the Air, #8

Reply to: