Re: '(no

To: Russell Speed <rfspeed@attcanada.ca>
Cc: debian-security@lists.debian.org
Subject: Re: '(no
From: dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk)
Date: Sat, 15 Sep 2001 13:59:43 -0500
Message-id: <[🔎] 20010915185943.CAE25FD96@odyssey.bmrb.wisc.edu>
Reply-to: dmaziuk@yola.bmrb.wisc.edu
In-reply-to: <[🔎] 1000572686.1207.29.camel@rover>
References: <[🔎] 1000572686.1207.29.camel@rover>

In linux.debian.security, you wrote:
> I am curious if the following is an example of a buffer overflow.  I
> noticed this in my syslog - and the following day had someone logged in
> from an IP I'm not aware of.
> 
> I changed the passwords - and added an entry to the input chain to block
> the IP, but am wondering what other things I should do? 
> 
> Should I remove /bin/sh for something less obvious as a general
> protection from buffer overflows?

If you suspect your machine was r00ted, 
1. Take it off the net _now_.
2. If you want to do a post-mortem, boot from "known good" CD or plug
   the hd into a "known good" box.
3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall
   from scratch.

The reason is that the intruder could install hacked versions of utilities
like ps, ls, lsmod etc. that won't show backdoor processes and hacked files,
and/or a kernel module that does the same at OS level. Your logs may have 
been sanitized, too. You cannot trust any program on a r00ted box.

Dima
-- 
In cyberspace no one can hear you laugh         -- Bill Bumgarner in RISKS 21.65

Reply to:

Follow-Ups:
- Re: '(no
  - From: Momchil Velikov <velco@fadata.bg>
- Re: '(no
  - From: Giacomo Mulas <gmulas@ca.astro.it>

References:
- [no subject]
  - From: Russell Speed <rfspeed@attcanada.ca>

Prev by Date: rpc.statd exploit (was Re: none)
Next by Date: Re: '(no
Previous by thread: rpc.statd exploit (was Re: none)
Next by thread: Re: '(no
Index(es):
- Date
- Thread