RE: HELP I've been cracked
> -----Original Message-----
> From: Henrique de Moraes Holschuh [mailto:firstname.lastname@example.org]
> Sent: Saturday, February 09, 2002 12:40 PM
> To: Tina Embrey [mailto:email@example.com]
> Cc: firstname.lastname@example.org
> Subject: Re: HELP I've been cracked
> > My Debian 2.2 Potato and Woody Servers have been attacked
> > by a cracker who has installed a 'root kit' and broke ps
> > and several other core components of the OS. [...]
> > Is there any way to fix the broken apps, and get the system
> > secured again ?
> None that are worth the risk. A full reinstall is the only
> alternative we could recommend in good faith. Everything else
> is not 100% guaranteed.
I must second this comment. Frankly, there is no practical way to be
certain of what has been compromised, thus the entire system is suspect.
This may apply despite something like Tripwire being used, because it
could be foiled by a particularly skilled blackhat (or poor
installation). I know it probably isn't the answer you were hoping for,
but I think most everyone would agree it's the best solution.
There ARE some tools for detecting certain rootkits, but I mention this
only because it could be educational for you to learn how they broke in
and fooled around. One of these will find commonly-installed items that
skript kiddies might use:
$ apt-cache show chkrootkit
You should NOT rely on this as your only means of intrusion detection,
however. I would also discourage you from repairing the system based on
the results you find with chkrootkit, because it may not be accurate,
and/or there may be additional tampering elsewhere that it doesn't find.
One of the things I did with my firewall was compile all the needed
modules into the kernel, so that no additional modules can be loaded --
which is one way a hacker can install things. You might look into this,
or perhaps use "LIDS", the Linux Intrusion Detection system. It's a
kernel-based hardening program (for lack of a more concise term):
$ apt-cache show lids-2.2.19
> Please look for the security Debian howto at:
An excellent security reference, with concepts that are good practice
for all Linux boxen.
Other suggested reading (not Debian-centric):
Last but not least, once you have secured your machine as best you can,
run a variety of security tools against it, such as Nessus, raccess,
nmap and so forth. You might find additional holes that can be plugged.
Hope that helps,