Re: '(no
On Sat, Sep 15, 2001 at 10:23:45PM +0300, Momchil Velikov wrote:
> >>>>> "Dimitri" == Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu> writes:
> Dimitri> In linux.debian.security, you wrote:
> Dimitri> If you suspect your machine was r00ted,
> Dimitri> 1. Take it off the net _now_.
> Dimitri> 2. If you want to do a post-mortem, boot from "known good" CD or plug
> Dimitri> the hd into a "known good" box.
> Dimitri> 3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall
> Dimitri> from scratch.
>
> Frankly, this looks a bit too harsh. Of course, it depends on the
> importance of the machine and the data on it.
No, it isn't.
It's not just your machine you're protecting, it's every other
machine on the network.
If your "trivial little game box" gets hacked, you lose nothing but
time, but the attacker now has a "clean" platform (in that it's not
in an IP space that can be tracked back to him) to attack *me* from,
and when I notice the attack, I track it back to *you*. Unless you
can demonstrate otherwise, then I have to assume that it's you who
is attacking me, and then you have to convince the FBI that you
didn't do it.
If you believe that you've been hacked, fdisk and restore from
backup--if you are absolutely positive your backup is clean.
Otherwise rebuild from scratch.
> Dimitri> The reason is that the intruder could install hacked versions of utilities
> Dimitri> like ps, ls, lsmod etc. that won't show backdoor processes and hacked files,
> Dimitri> and/or a kernel module that does the same at OS level. Your logs may have
> Dimitri> been sanitized, too. You cannot trust any program on a r00ted box.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> In theory, yes. In practice, one can (marginally) trust some of the
> programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or
> ``apt-get'' ? Or ``tcsh'' ?
Tar and Apt-get probably not. tcsh would be more doubtful.
--
Share and Enjoy.
Reply to:
- Follow-Ups:
- Re: '(no
- From: Giacomo Mulas <gmulas@ca.astro.it>
- References:
- [no subject]
- From: Russell Speed <rfspeed@attcanada.ca>
- Re: '(no
- From: dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk)
- Re: '(no
- From: Momchil Velikov <velco@fadata.bg>