Re: how to fix rootkit?

["volk@kadr.tv" <volk@kadr.tv>]

08.02.2012 17:40, Repasi Tibor пишет:
> But, the most important: think before you act. If you wipe and 
> reinstall the system, it could be as vulnerable as it was, so it may 
> be rooted before you have it fully up again. Consider the following:
>
> - Cut network connection. Having the system off-line you can 
> investigate the situation undisturbed. However, there is a small 
> chance that the rootkit eliminates itself when counteraction (network 
> unplug) is detected.
>
> - Announce the incident. In the company, to customers, and to whom it 
> may concerns.
>
> - Think about essential services running on the system. What your 
> business cannot run without, you should care to restart minimal 
> sufficient services (probably from some other hosts).
>
> - Prepare yourself in doing the investigation. A good starting point: 
> http://www.fish2.com/tct/help-when-broken-into
>
> - Backup the last state for investigation. Do a backup of all 
> filesystems prior to reboot  (as suggested), than reboot to a clean 
> environment and dump the HD contents again.
>
> - Investigate. Find the answers to questions: How the intruder gained 
> root access? What vulnerability was necessary to do so? What 
> countermeasures are available on the issue?
It's good question. Firewall was all right. But few months earlier I had 
opened ssh access from any IP (3-times attempt to login limit was leaved).
Enother thing was tweaked is ntp. /bin/top and other scripts was changed 
by malefactor like "chgrp ntp /bin/top", but it's probably a coincidence 
of a group id.
And also most likely causes may be were 
http://www.debian.org/security/2012/dsa-2403 and 
http://www.debian.org/security/2012/dsa-2405
By the way /bin/top and other was changed at 4:30 6 feb 2012.
The system was very secured and each week it was updating to the last 
release.
If such bugs can occure (like dsa-2405) then there is no a solution to 
reflect the attach that goes few minutes after the fix is released.

> Can you setup a new system which is immune against the intrusion?
>
> - Setup a new and clean system from a latest release and take 
> necessary action to provide hardened security.
>
> - Stepwise re-enable services.
>
>
> On 02/08/2012 03:06 PM, Leonor Palmeira wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I would rather (if it's ok for the server do be down for a while) unplug
> > the internet cable and dd (and/or rsync) all the partitions before
> > rebooting.
> > A lot of information (including swap) is lost during reboot...
> >
> > Best,
> > Leonor Palmeira.
> >
> > On 08/02/12 14:50, Fernando Mercês wrote:
> > > I recommend you boot with some live CD system and make a dump of each
> > > partition, including swap, with dd. So you can analyze it after wipe
> > > your system.
> > >
> > > This analysis will help you to discover how attacker have gained root
> > > access, protect your actual system and feed community with real case
> > > information. If you need help, please let me know.
> > >
> > > Best regards,
> > >
> > > Fernando Mercês
> > > Linux Registered User #432779
> > > www.mentebinaria.com.br
> > > softwarelivre-rj.org
> > > @MenteBinaria
> > > ------------------------------------
> > > II Hack'n Rio - 23 e 24/11
> > >                   hacknrio.org
> > > ------------------------------------
> > >
> > >
> > >
> > > On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
> > > <als@thangorodrim.de>  wrote:
> > > > On Wed, Feb 08, 2012 at 11:53:14AM +0300, volk@lab127.karelia.ru 
> > > > wrote:
> > > > > Today I found next things at squeeze. Please help to fix, I've no
> > > > > experience in such tasks.
> > > > >
> > > > > # chkrootkit
> > > > > ROOTDIR is `/'
> > > > > Checking `ifconfig'...                                      INFECTED
> > > > > Checking `netstat'...                                       INFECTED
> > > > Don't even try to fix, with the system rooted you cannot trust it.
> > > > The only safe course of action is to wipe the system and reinstall it.
> > > >
> > > > If you need the data on the machine and have no current backups, boot
> > > > from a rescue CD (giving you a _clean_ environment) and copy the data
> > > > off, then wipe&  reinstall.
> > > >
> > > > Kind regards,
> > > >            Alex.
> > > > --
> > > > "Opportunity is missed by most people because it is dressed in 
> > > > overalls and
> > > >   looks like work."                                      -- Thomas 
> > > > A. Edison
> > > >
> > > >
> > > > --
> > > > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > > > with a subject of "unsubscribe". Trouble? Contact 
> > > > listmaster@lists.debian.org
> > > > Archive: 
> > > > 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de
> > - -- Leonor Palmeira, PhD
> >
> > Phone: +32 4 366 42 69
> > Email: mlpalmeira AT ulg DOT ac DOT be
> > http://sites.google.com/site/leonorpalmeira
> >
> > Immunology-Vaccinology, Bat. B43b
> > Faculty of Veterinary Medicine
> > Boulevard de Colonster, 20
> > University of Liege, B-4000 Liege (Sart-Tilman)
> > Belgium
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> >
> > iQEcBAEBAgAGBQJPMoF4AAoJEKquFGwgRb3zXEgIAIvbk4PP2bBH0V2SQTQc0MD2
> > C0YuVRbWU5DBCQZ83bIcOKDjxMnB4IMpZt3qIeih9pS1V/Ip/zCCL83rTWEieUOY
> > k77nHns75cUjcf85krfTs0IcvW22D1UC6Fh63LSDKDQQ6HV5p4B3zFVl7zd9SWlz
> > 9rvKjnfSvwJp1Xq0j0d0KpEZ3CAN7ltbJh/3G/ByAcQV1Z7FO0elbpHE0IbGDKnA
> > ezVOG23ICzwfXH2SiPKp9kFxwgAPGTD1lnOr27oWQHlxPa7ccwQFWzbyL9kPm1zv
> > J4eJ3tfuGI6Iv/dd/o8DW9xcYNw4FsXo61bfcrwlOrni0Tf4/ZPKytnwY6o9pII=
> > =MUD3
> > -----END PGP SIGNATURE-----


--
Александр Сергеевич Волков
веб-дизайнер

www: http://www.frgroup.ru
mob: +79215283540
e-mail: volk@kadr.tv
skype: v2003_2003@mail.ru
icq: 255569374