Re: how to fix rootkit?

To: debian-security@lists.debian.org
Cc: Jason Fergus <leech@thefnords.org>
Subject: Re: how to fix rootkit?
From: Russell Coker <russell@coker.com.au>
Date: Thu, 9 Feb 2012 15:29:38 +1100
Message-id: <201202091529.38623.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <1328760003.1540.5.camel@localhost.localdomain>
References: <4F3237FA.1050206@lab127.karelia.ru> <4F331051.7090500@mikemestnik.net> <1328760003.1540.5.camel@localhost.localdomain>

On Thu, 9 Feb 2012, Jason Fergus <leech@thefnords.org> wrote:
> Out of curiosity, couldn't one technically boot up a liveCD, mount the
> drive(s) and then download the .debs individually, then extract them
> over the mounted partitions, effectively copying over all of the
> binaries.

There is the possibility of SUID binaries not owned by packages and the issue 
of configuration files which have malicious changes.

The best thing to do is to install all the same packages on a new system and 
then run a "diff -r" on the /etc directory and determine which differences are 
desired configuration changes and which might have been made by the attacker.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

References:
- how to fix rootkit?
  - From: "volk@lab127.karelia.ru" <volk@lab127.karelia.ru>
- Re: how to fix rootkit?
  - From: Mike Mestnik <cheako@mikemestnik.net>
- Re: how to fix rootkit?
  - From: Jason Fergus <leech@thefnords.org>

Prev by Date: Re: how to fix rootkit?
Next by Date: Re: how to fix rootkit?
Previous by thread: Re: how to fix rootkit?
Next by thread: bios infection (was: how to fix rootkit?)
Index(es):
- Date
- Thread