Re: '(no

To: Momchil Velikov <velco@fadata.bg>
Cc: <dmaziuk@yola.bmrb.wisc.edu>, Russell Speed <rfspeed@attcanada.ca>, <debian-security@lists.debian.org>
Subject: Re: '(no
From: Rishi L Khan <rishi@UDel.Edu>
Date: Sat, 15 Sep 2001 15:32:27 -0400 (EDT)
Message-id: <[🔎] Pine.SOL.4.31.0109151531300.17561-100000@copland.udel.edu>
In-reply-to: <[🔎] 877kv0febi.fsf@fadata.bg>

consider using tripwire on your computers in the future. This way you can
create a database of md5sums of all important programs and store them on a
disk in your drawer. Then you'll know what was hacked and what wasn't.

		-rishi

On 15 Sep 2001, Momchil Velikov wrote:

> >>>>> "Dimitri" == Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu> writes:
>
> Dimitri> In linux.debian.security, you wrote:
> >> I am curious if the following is an example of a buffer overflow.  I
> >> noticed this in my syslog - and the following day had someone logged in
> >> from an IP I'm not aware of.
> >>
> >> I changed the passwords - and added an entry to the input chain to block
> >> the IP, but am wondering what other things I should do?
> >>
> >> Should I remove /bin/sh for something less obvious as a general
> >> protection from buffer overflows?
>
> Dimitri> If you suspect your machine was r00ted,
> Dimitri> 1. Take it off the net _now_.
> Dimitri> 2. If you want to do a post-mortem, boot from "known good" CD or plug
> Dimitri>    the hd into a "known good" box.
> Dimitri> 3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall
> Dimitri>    from scratch.
>
> Frankly, this looks a bit too harsh. Of course, it depends on the
> importance of the machine and the data on it.
>
> Dimitri> The reason is that the intruder could install hacked versions of utilities
> Dimitri> like ps, ls, lsmod etc. that won't show backdoor processes and hacked files,
> Dimitri> and/or a kernel module that does the same at OS level. Your logs may have
> Dimitri> been sanitized, too. You cannot trust any program on a r00ted box.
>                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> In theory, yes. In practice, one can (marginally) trust some of the
> programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or
> ``apt-get'' ? Or ``tcsh'' ?
>
> You can use ``tar'' to find out if ``ls'' was changed. Use ``echo'' to
> list directories and compare with ``ls'' and ``find''. Use ``tcsh''
> builtin ``ls-F''.
>
> I guess there are other means to detect a rootkit, described somewhere
> on the web. (Hopefully, mozilla is not cracked to conceive such
> information :-)
>
> Regards,
> -velco
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Re: '(no
  - From: Momchil Velikov <velco@fadata.bg>

Prev by Date: Re: '(no
Next by Date: VPN Concentrator 3000 + Sony FIU 710
Previous by thread: Re: '(no
Next by thread: Re: '(no
Index(es):
- Date
- Thread