[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: was I cracked? (rpc.statd, new version)

By the way:

Can dpkg check the files in my filesystem against the version which is in the packages database? So i can verify if the binary was modified. Then the only thing i need is a signing of the dep-packages and the database itself (perhaps with an external key).
Is something like this possible or is it planned?

Oliver

> -----Original Message-----
> From: Lukas Eppler [mailto:lukas.eppler@tempobrain.com]
> Sent: Donnerstag, 12. Juli 2001 10:36
> To: Alvin Oga; kath
> Cc: debian-security@lists.debian.org
> Subject: Re: was I cracked? (rpc.statd, new version)
> 
> 
> Thank you all for the hints.
> I think I will install tripwire for the future. I didn't have 
> it up to now, 
> so for the moment it does not tell me much. The hacked 
> machine is the only 
> one with 2.2 I control, so checking the binaries would 
> involve unpacking debs 
> by hand, I guess. I have looked at creation times and setuid 
> flags, and I 
> have run a portscan from outside and haven't found anything unusual.
> So as Ethan said, I think I survived...
> 
> I have tried the exploit myself from outside on my machine. 
> It produced a 
> similar entry in the logs, the script reported to have 
> 'failed', and my shy 
> test command (touch /blah) was not executed. This seems 
> evidence to me that 
> it was actually the old rpc.statd hole he/she tried to crack, 
> and I know my 
> version is safe (not because my own attack failed, but 
> because debian says 
> so).
> I will
>  - install tripwire to observe more
>  - remove nfs-common (the machine is a fresh install, I 
> couldn't go over all 
> the services yet)
> 
> Thank you for your help
> 
> Lukas
> 
> On Thursday, 12. July 2001 03.55, Alvin Oga wrote:
> > i like  a simple/stupid solution
> > 	tar zcvf /safe_place_off_line/original_binaries.tgz \
> > 	/bin /lib /sbin/usr/{bin,sbin,lib}  /etc
> >
> > 	( its a quickie test... to compare the current binaries
> > 	( against what was the original
> >
> > if you still not sure... that they ADDED some of their own
> > apps .... than run tripwire.... and wait and wait..
> > but than you'd have an answer if you have a good tripwire db going
> >
> > dozen different ways to identify if they got in and what they
> > changed... choose your preferred way...
> >
> > c ua
> > alvin
> >
> > On Wed, 11 Jul 2001, kath wrote:
> > > You can check for modified binaries with tripwire.
> > >
> > > If this was a decent hacker or even a script kiddie using 
> a good tool,
> > > they probably would have purged your logs of all evidence.
> > >
> > > So either:
> > >
> > > a) They are second rate
> > > or
> > > b) They didn't get in
> 
> -- 
> Tempobrain AG - Dufourstrasse 179 - 8008 Zürich
> http://www.tempobrain.com | icq # 5856 2285
> +44 20 7233 6206 | +44 79 8037 7312
> +41  1 389 29 29 | +41 76 373 07 87
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
>
Reply to: