RE: HELP I've been cracked

To: <tina@vmail.net.au>
Cc: <debian-security@lists.debian.org>
Subject: RE: HELP I've been cracked
From: "Jeff Bonner" <jeff@integralogic.com>
Date: Sat, 9 Feb 2002 13:47:15 -0500
Message-id: <[🔎] 000d01c1b19a$31fdc880$0200a8c0@JEFF>
In-reply-to: <[🔎] 20020209153947.A492@khazad-dum>

> -----Original Message-----
> From: Henrique de Moraes Holschuh [mailto:hmh@debian.org]
> Sent: Saturday, February 09, 2002 12:40 PM
> To: Tina Embrey [mailto:tina@vmail.net.au]
> Cc: debian-security@lists.debian.org
> Subject: Re: HELP I've been cracked

> > My Debian 2.2 Potato and Woody Servers have been attacked
> > by a cracker who has installed a 'root kit' and broke ps
> > and several other core components of the OS.  [...]
>
> > Is there any way to fix the broken apps, and get the system
> > secured again ?
>
> None that are worth the risk. A full reinstall is the only
> alternative we could recommend in good faith. Everything else
> is not 100% guaranteed.

I must second this comment.  Frankly, there is no practical way to be
certain of what has been compromised, thus the entire system is suspect.
This may apply despite something like Tripwire being used, because it
could be foiled by a particularly skilled blackhat (or poor
installation).  I know it probably isn't the answer you were hoping for,
but I think most everyone would agree it's the best solution.

There ARE some tools for detecting certain rootkits, but I mention this
only because it could be educational for you to learn how they broke in
and fooled around.  One of these will find commonly-installed items that
skript kiddies might use:

   $ apt-cache show chkrootkit

You should NOT rely on this as your only means of intrusion detection,
however.  I would also discourage you from repairing the system based on
the results you find with chkrootkit, because it may not be accurate,
and/or there may be additional tampering elsewhere that it doesn't find.

One of the things I did with my firewall was compile all the needed
modules into the kernel, so that no additional modules can be loaded --
which is one way a hacker can install things.  You might look into this,
or perhaps use "LIDS", the Linux Intrusion Detection system.  It's a
kernel-based hardening program (for lack of a more concise term):

   $ apt-cache show lids-2.2.19
   and
   http://www.lids.org

> Please look for the security Debian howto at:
> http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html

An excellent security reference, with concepts that are good practice
for all Linux boxen.

Other suggested reading (not Debian-centric):

   http://staff.washington.edu/dittrich/R870/reacting.html
   http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
   http://www.enteract.com/~lspitz/linux.html
   http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html

Last but not least, once you have secured your machine as best you can,
run a variety of security tools against it, such as Nessus, raccess,
nmap and so forth.  You might find additional holes that can be plugged.

Hope that helps,

Jeff Bonner

Reply to:

Follow-Ups:
- RE: HELP I've been cracked
  - From: Josh <josh@negative.zeroday.net>
- Re: HELP I've been cracked
  - From: Anthony DeRobertis <asd@suespammers.org>

References:
- Re: HELP I've been cracked
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: HELP I've been cracked
Next by Date: Port 113 (auth) accept or deny?
Previous by thread: Re: HELP I've been cracked
Next by thread: RE: HELP I've been cracked
Index(es):
- Date
- Thread