[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromised system - still ok?

Jeroen van Wolffelaar wrote:
On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote:

On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller
<pburgstaller@acm.org> wrote:

I'm considering taking it back online with a 2.4.29-grsec-hi, what do
you guys think?

You were rooted, you should reinstall.  It's not worth risking that he
left something that you didn't find.

I see no evidence at all of being rooted, or even hints thereto. Yes,
the backup account was compromized. It looks like there were quite some
security measures in place, try to look hard for any attempt to kernel
exploit or otherwise local exploit, and think about what files this
backup account had access to. Of course, importance of the system
matters too, if you were the NSA or something, I'd definitely reinstall,
however, if you're not THAT paranoid, I think you can do with locking
down backup account, checking all files writeable by backup (all files
with recent ctime?), and places like /var/tmp, /tmp, etc.


Unless the evidence of being rooted was hidden. This can be done with
* replacing system binaries, so that, for instance, /bin/ls does not list the root kit files, and that /bin/ps does not display the rootkit * replacing kernel (or modules) so that process information relating to the root kit is hidden, and files are hidden * hiding the root kit files in 'empty' spaces on the filesystem, (ie, where no inodes are pointing to) * hiding the root kit files in the filesystem (amongs other files, a little bit in each inode maybe?)

So can you be really sure that there was no root kit that succesfully exploited your system? Have you rebooted off a trusted kernel, and cryptographically checked every single file involved in booting? (Such as the grub/lilo, kernel, all modules, init), and visually or cryptographically checked all the rc.* files and /etc/inittab? Of course, doing all this might mean that you avoid booting the rootkit next time. But it could still be on the disk, waiting for when the attacker tries to return!

Yes, if the system is not important, you might not bother re-installing it. However in my (fairly recent experience), it was _easier_ to reinstall than it was to check all those things.

Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000

Reply to: