RE: HELP I've been cracked

To: Jeff Bonner <jeff@integralogic.com>
Cc: <tina@vmail.net.au>, <debian-security@lists.debian.org>
Subject: RE: HELP I've been cracked
From: Josh <josh@negative.zeroday.net>
Date: Sat, 9 Feb 2002 16:48:37 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.33L2.0202091647430.25570-100000@negative.zeroday.net>
In-reply-to: <[🔎] 000d01c1b19a$31fdc880$0200a8c0@JEFF>

try checking out www.grsecurity.net. It's a collection of patches and a
very excellent ACL system written by a friend of mine. It also
incorperates the OpenWall / pax patches among other things.


     - Josh Reynolds


On Sat, 9 Feb 2002, Jeff Bonner wrote:

> > -----Original Message-----
> > From: Henrique de Moraes Holschuh [mailto:hmh@debian.org]
> > Sent: Saturday, February 09, 2002 12:40 PM
> > To: Tina Embrey [mailto:tina@vmail.net.au]
> > Cc: debian-security@lists.debian.org
> > Subject: Re: HELP I've been cracked
>
> > > My Debian 2.2 Potato and Woody Servers have been attacked
> > > by a cracker who has installed a 'root kit' and broke ps
> > > and several other core components of the OS.  [...]
> >
> > > Is there any way to fix the broken apps, and get the system
> > > secured again ?
> >
> > None that are worth the risk. A full reinstall is the only
> > alternative we could recommend in good faith. Everything else
> > is not 100% guaranteed.
>
> I must second this comment.  Frankly, there is no practical way to be
> certain of what has been compromised, thus the entire system is suspect.
> This may apply despite something like Tripwire being used, because it
> could be foiled by a particularly skilled blackhat (or poor
> installation).  I know it probably isn't the answer you were hoping for,
> but I think most everyone would agree it's the best solution.
>
> There ARE some tools for detecting certain rootkits, but I mention this
> only because it could be educational for you to learn how they broke in
> and fooled around.  One of these will find commonly-installed items that
> skript kiddies might use:
>
>    $ apt-cache show chkrootkit
>
> You should NOT rely on this as your only means of intrusion detection,
> however.  I would also discourage you from repairing the system based on
> the results you find with chkrootkit, because it may not be accurate,
> and/or there may be additional tampering elsewhere that it doesn't find.
>
> One of the things I did with my firewall was compile all the needed
> modules into the kernel, so that no additional modules can be loaded --
> which is one way a hacker can install things.  You might look into this,
> or perhaps use "LIDS", the Linux Intrusion Detection system.  It's a
> kernel-based hardening program (for lack of a more concise term):
>
>    $ apt-cache show lids-2.2.19
>    and
>    http://www.lids.org
>
> > Please look for the security Debian howto at:
> > http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
>
> An excellent security reference, with concepts that are good practice
> for all Linux boxen.
>
> Other suggested reading (not Debian-centric):
>
>    http://staff.washington.edu/dittrich/R870/reacting.html
>    http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
>    http://www.enteract.com/~lspitz/linux.html
>    http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
>
> Last but not least, once you have secured your machine as best you can,
> run a variety of security tools against it, such as Nessus, raccess,
> nmap and so forth.  You might find additional holes that can be plugged.
>
> Hope that helps,
>
> Jeff Bonner
>
>
>
>

Reply to:

References:
- RE: HELP I've been cracked
  - From: "Jeff Bonner" <jeff@integralogic.com>

Prev by Date: vtun
Next by Date: Re: Bug#130876: ssh: -5 discloses too much infomation to an attacker, security
Previous by thread: RE: HELP I've been cracked
Next by thread: Re: HELP I've been cracked
Index(es):
- Date
- Thread