Re: '(no

To: Momchil Velikov <velco@fadata.bg>
Cc: dmaziuk@yola.bmrb.wisc.edu, Russell Speed <rfspeed@attcanada.ca>, debian-security@lists.debian.org
Subject: Re: '(no
From: Petro <petro@auctionwatch.com>
Date: Sat, 15 Sep 2001 15:36:27 -0700
Message-id: <[🔎] 20010915153627.B19706@auctionwatch.com>
In-reply-to: <[🔎] 877kv0febi.fsf@fadata.bg>
References: <[🔎] 1000572686.1207.29.camel@rover> <[🔎] 20010915185943.CAE25FD96@odyssey.bmrb.wisc.edu> <[🔎] 877kv0febi.fsf@fadata.bg>

On Sat, Sep 15, 2001 at 10:23:45PM +0300, Momchil Velikov wrote:
> >>>>> "Dimitri" == Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu> writes:
> Dimitri> In linux.debian.security, you wrote:
> Dimitri> If you suspect your machine was r00ted, 
> Dimitri> 1. Take it off the net _now_.
> Dimitri> 2. If you want to do a post-mortem, boot from "known good" CD or plug
> Dimitri>    the hd into a "known good" box.
> Dimitri> 3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall
> Dimitri>    from scratch.
> 
> Frankly, this looks a bit too harsh. Of course, it depends on the
> importance of the machine and the data on it.

    No, it isn't. 

    It's not just your machine you're protecting, it's every other
    machine on the network. 

    If your "trivial little game box" gets hacked, you lose nothing but
    time, but the attacker now has a "clean" platform (in that it's not
    in an IP space that can be tracked back to him) to attack *me* from,
    and when I notice the attack, I track it back to *you*. Unless you
    can demonstrate otherwise, then I have to assume that it's you who
    is attacking me, and then you have to convince the FBI that you
    didn't do it. 

    If you believe that you've been hacked, fdisk and restore from
    backup--if you are absolutely positive your backup is clean.
    Otherwise rebuild from scratch. 

> Dimitri> The reason is that the intruder could install hacked versions of utilities
> Dimitri> like ps, ls, lsmod etc. that won't show backdoor processes and hacked files,
> Dimitri> and/or a kernel module that does the same at OS level. Your logs may have 
> Dimitri> been sanitized, too. You cannot trust any program on a r00ted box.
>                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
> In theory, yes. In practice, one can (marginally) trust some of the
> programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or
> ``apt-get'' ? Or ``tcsh'' ?

    Tar and Apt-get probably not. tcsh would be more doubtful. 

-- 
Share and Enjoy.

Reply to:

Follow-Ups:
- Re: '(no
  - From: Giacomo Mulas <gmulas@ca.astro.it>

References:
- [no subject]
  - From: Russell Speed <rfspeed@attcanada.ca>
- Re: '(no
  - From: dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk)
- Re: '(no
  - From: Momchil Velikov <velco@fadata.bg>

Prev by Date: Re: protecting against buffer overflow.
Next by Date: Re: Listening Ports
Previous by thread: Re: '(no
Next by thread: Re: '(no
Index(es):
- Date
- Thread