Re: Compromised system - still ok?

To: Geoff Crompton <geoff.crompton@strategicdata.com.au>
Cc: debian-security@lists.debian.org
Subject: Re: Compromised system - still ok?
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Sun, 6 Feb 2005 17:26:54 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1050206165845.12860A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 4206AAB6.7020402@strategicdata.com.au>


On Mon, 7 Feb 2005, Geoff Crompton wrote:

> >>You were rooted, you should reinstall.  It's not worth risking that he
> >>left something that you didn't find.

<my opinion>
"reinstalling" is the equivalent of a "script kiddie" and probably lower
in skill level of the script kiddie
</opinion>

see below for reasons if one cares

> > I see no evidence at all of being rooted, or even hints thereto. Yes,
> > the backup account was compromized. It looks like there were quite some
> > security measures in place, try to look hard for any attempt to kernel
> > exploit or otherwise local exploit, and think about what files this
> > backup account had access to. Of course, importance of the system
> > matters too, if you were the NSA or something, I'd definitely reinstall,
> > however, if you're not THAT paranoid, I think you can do with locking
> > down backup account, checking all files writeable by backup (all files
> > with recent ctime?), and places like /var/tmp, /tmp, etc.

nsa and other 3-letter agencies will probably find out:
	- where the cracker came from
	- what else the cracker did on the suspect box
	- what other machines the cracker tried to access inside the
	network and what other files were changed on other servers
	- how they got in and repoduce how they got in 
	- come to your door step and serve a warrant if
	one broke into a "secret" machine
	- are there automated jobs that run at fixed times or
	whenver you do something

	- how long have they been in the system before you noticed
	and sometimes they are in there for weeks or months before
	you start to notice because they started to use the cracked box

	- is the backup clean or is it suspect too

	- what files the cracker changed 
	- what files the cracker added
	- .. on and on ..

you can reinstall AFTER you can answer all the above questions
or give up and give the point ot the script kiddie cracker

resinstalling is bad because ..
	- you donno how they got in and they can get back in
	the same way again, and the 2nd time, they'd probably be
	less friendly

	- most crackers are not malicious and just wanna prove something
	to themself or their buddies

	- reinstalling and cleanup after a cracked box is very painful
	and can take days weeks of cleanup whether you reinstall or not

	- reinstallng does NOT clean up the other machines the
	cracker could have used .. ( esp passwordless login systems
	where they have free access to everything )

	- reinstalling is bad because you didn't check your backups
	before restoring, and for all you know, you can be restoring
	their trojan that will wake up one day again in the future

	- if you didn't change your normal computer usage after the
	breakin, they will be back again

	- thousands of "best practices" security rules and policies
	to follow or not depending on ones paranoia or risk of something
	might happen vs the obvious required time/steps needed to protect
	against those possible crack attempts

> Unless the evidence of being rooted was hidden. This can be done with
> * replacing system binaries, so that, for instance, /bin/ls does not 
> list the root kit files, and that /bin/ps does not display the rootkit

those are trivial to check and verify .. few minutes

one keeps a copy of all files and directories on another media ( cdrom )
	- anything that shows up different is new file since the 
	"md5sum was done" or its the cracker files

	- if you upgrade daily .. you're sorta assuming a few
	things, like you don't know or care that certain files changed
	on certain days or hopefulling logging it  but how do you
	know it was changed due to update vs cracker got in and also
	got its files in your "these are my changes for today" checksums

> * replacing kernel (or modules) so that process information relating to 
> the root kit is hidden, and files are hidden

most rootkits leaves traces .. though it's getting better at hiding

> * hiding the root kit files in 'empty' spaces on the filesystem, (ie, 
> where no inodes are pointing to)
> * hiding the root kit files in the filesystem (amongs other files, a 
> little bit in each inode maybe?)

ideal places for those  is using the extra buytes of
	/etc/hosts
	/etc/resolv.conf
	/etc/hosts.conf
	/etc/passwd
	( small files, where lots of unused bytes is available )

if they have hidden their stuff inside a secret filesystem of unused
disk space... you need professional 3-letter help ...
	- reinstalling will not help you, as they probably outclass
	your/our security policies

and a more likely scarier problem, is they installed a keyboard sniffer
( quietly sniffing all your passwds )
	- do you login each time or do you login only once ??

> Yes, if the system is not important, you might not bother re-installing 
> it. However in my (fairly recent experience), it was _easier_ to 
> reinstall than it was to check all those things.

one should watch and study the network to that cracked box and learn
as much as you can

c ya
alvin

Reply to:

Follow-Ups:
- Re: Compromised system - still ok?
  - From: Bernd Eckenfels <ecki@lina.inka.de>

References:
- Re: Compromised system - still ok?
  - From: Geoff Crompton <geoff.crompton@strategicdata.com.au>

Prev by Date: Re: Compromised system - still ok?
Next by Date: Re: Compromised system - still ok?
Previous by thread: Re: Compromised system - still ok?
Next by thread: Re: Compromised system - still ok?
Index(es):
- Date
- Thread