Re: Compromised system - still ok?
Jeroen van Wolffelaar wrote:
On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote:
On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller
I'm considering taking it back online with a 2.4.29-grsec-hi, what do
you guys think?
You were rooted, you should reinstall. It's not worth risking that he
left something that you didn't find.
I see no evidence at all of being rooted, or even hints thereto. Yes,
the backup account was compromized. It looks like there were quite some
security measures in place, try to look hard for any attempt to kernel
exploit or otherwise local exploit, and think about what files this
backup account had access to. Of course, importance of the system
matters too, if you were the NSA or something, I'd definitely reinstall,
however, if you're not THAT paranoid, I think you can do with locking
down backup account, checking all files writeable by backup (all files
with recent ctime?), and places like /var/tmp, /tmp, etc.
Unless the evidence of being rooted was hidden. This can be done with
* replacing system binaries, so that, for instance, /bin/ls does not
list the root kit files, and that /bin/ps does not display the rootkit
* replacing kernel (or modules) so that process information relating to
the root kit is hidden, and files are hidden
* hiding the root kit files in 'empty' spaces on the filesystem, (ie,
where no inodes are pointing to)
* hiding the root kit files in the filesystem (amongs other files, a
little bit in each inode maybe?)
So can you be really sure that there was no root kit that succesfully
exploited your system? Have you rebooted off a trusted kernel, and
cryptographically checked every single file involved in booting? (Such
as the grub/lilo, kernel, all modules, init), and visually or
cryptographically checked all the rc.* files and /etc/inittab?
Of course, doing all this might mean that you avoid booting the rootkit
next time. But it could still be on the disk, waiting for when the
attacker tries to return!
Yes, if the system is not important, you might not bother re-installing
it. However in my (fairly recent experience), it was _easier_ to
reinstall than it was to check all those things.
Debian System Administrator
+61 3 9340 9000