Re: how to fix rootkit?

To: debian-security@lists.debian.org
Subject: Re: how to fix rootkit?
From: "tv.debian@googlemail.com" <tv.debian@googlemail.com>
Date: Thu, 09 Feb 2012 09:49:47 +0100
Message-id: <4F3388AB.6090102@googlemail.com>
In-reply-to: <4F328961.4040006@advan-ce.hu>
References: <4F3237FA.1050206@lab127.karelia.ru> <20120208125104.GA18436@thangorodrim.de> <CAM7p17PMimBO-Ouu4gRy7L7PXWdy=a2jRhYo6Wq-J0OKY0DGPw@mail.gmail.com> <4F328178.40209@ulg.ac.be> <4F328961.4040006@advan-ce.hu>

08/02/2012 15:40, Repasi Tibor wrote:
> But, the most important: think before you act. If you wipe and reinstall
> the system, it could be as vulnerable as it was, so it may be rooted
> before you have it fully up again. Consider the following:
> 
> - Cut network connection. Having the system off-line you can investigate
> the situation undisturbed. However, there is a small chance that the
> rootkit eliminates itself when counteraction (network unplug) is detected.
> 
> - Announce the incident. In the company, to customers, and to whom it
> may concerns.
> 
> - Think about essential services running on the system. What your
> business cannot run without, you should care to restart minimal
> sufficient services (probably from some other hosts).
> 
> - Prepare yourself in doing the investigation. A good starting point:
> http://www.fish2.com/tct/help-when-broken-into
> 
> - Backup the last state for investigation. Do a backup of all
> filesystems prior to reboot  (as suggested), than reboot to a clean
> environment and dump the HD contents again.
> 
> - Investigate. Find the answers to questions: How the intruder gained
> root access? What vulnerability was necessary to do so? What
> countermeasures are available on the issue? Can you setup a new system
> which is immune against the intrusion?
> 
> - Setup a new and clean system from a latest release and take necessary
> action to provide hardened security.
> 
> - Stepwise re-enable services.
> 
> 

Hi, I am following the thread with interest, and noticed that most
advices focused on the compromised host, but isn't the problem much
broader ? If forensic finds evidences that the attack was a targeted
one, it's basically impossible to trust anything which has been
connected to the compromised computer, think usb flash disks, phones,
disk drives and CD/DVD/BD drives with upgradeable firmwares, physically
connected or networked printers with upgradeable firmware, network
devices which can be rooted too. Not to mention all the computers which
were accessed from or had access to the compromised one.
Even the backup is to be treated with great care, especially if it's
stored on a remote host which is always available and connected to the
compromised machine. I have already seen mention of the BIOS, but when
summing up all the possible reinfection vectors on a medium or large
network with many users the cleaning process seems a tremendous amount
of work, and one that has to be carried away in a very well planned
fashion to avoid seeing all efforts wasted at the switch of a printer,
or the plug of an external medium...
I guess it's a matter of balancing the risks versus consequences versus
available resources, but it's good not to bury one's head in the sand
and think reinstalling the OS and restoring a backup is always enough.

Reply to:

References:
- how to fix rootkit?
  - From: "volk@lab127.karelia.ru" <volk@lab127.karelia.ru>
- Re: how to fix rootkit?
  - From: Alexander Schreiber <als@thangorodrim.de>
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>
- Re: how to fix rootkit?
  - From: Leonor Palmeira <mlpalmeira@ulg.ac.be>
- Re: how to fix rootkit?
  - From: Repasi Tibor <repasi.tibor@advan-ce.hu>

Prev by Date: Re: how to fix rootkit?
Next by Date: Re: bios infection (was: how to fix rootkit?)
Previous by thread: Re: how to fix rootkit?
Next by thread: Re: how to fix rootkit?
Index(es):
- Date
- Thread