Re: Hacked - is it my turn?
hi ya johannes
On Mon, 2 Feb 2004, Johannes Graumann wrote:
> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> At this point I believe to be able to attribute this to portsentry
> running - '/etc/init.d/portsentry stop' makes it go away,
> '/etc/init.d/portsentry start' makes it reappear and I can create the
> message on a pristine system by installing portsentry (running in the
> default configuration).
odd that portsentry does that... oh welll ...
> > 'tiger' also reports - while performing signature check of system
> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write
> > and /usr/bin/inetd don not match. This can not be confirmed by aide
> > (cd-burned database, unsafe binary) or debsums (unsafe binary).
> Javier stated as well:
> > Do _not_ rely on that if you are _not_ using a stable system.... (and
> > really, even then, unless you've regenerated the database yourself).
> This is a testing/unstable system.
that doesn't explain why the semi-important binaries are not as
you expected ... you still need to confirm the size/md5 of the binaries
against a clean system and/or patched updated/upgraded box
> If you don't buy this: please let me know and why. Since We are talking
> 20+ systems being dependent on one of the machines in question, I'm
> considering myself biased due to installation anxiety.
maybe its time to spend an extra $300 for a 2nd backup machine and
keep it offline or more protected behind another secure firewall
- and also time to put all your binaries compressed onto cdrom
so that you can trivially compare binaries in a few seconds
and know if its been hacked or not
- you'd also need to know which binaries changed on which date
from which package :-)
have fun
alvin
Reply to: