[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked, then intrusion detection system



On Sat, Feb 03, 2001 at 08:47:26PM -0300, mgriffa@fibertel.com.ar wrote:
> 
> can I complete re-install with apt? or I have to do the boot from cd
> again?

boot from the CD, and erase all partitions, backup any data or config
files you wnat to keep but manually audit each and every file before
restoring, and restore no binaries.  

if you want to save the package lists run:

dpkg --get-selections \* > select

then look through that list before restoring it after you install the
clean base system. 

you can restore that package selection list with this command:

dpkg --set-selections < select

since you have a clean system with clean apt and clean sources.list i
don't see much of a way for evil to leak back in through this.  unless
the attacker removed or installed many packages then you would have to
go through and manually put things back anyway.  but he can't make you
apt-get install trojan this way.. (apt-get install
buggy-prog-with-big-root-hol yes though)  

as it is now you can't trust apt-get, it could be trojaned to download
more backdoor packages from who knows where.  your kernel could be
compromised to always allow remote root access etc etc etc.  wipe the
entire disk.  i would even zero out the partition table and
repartition it from scratch too.  (i even zero out the entire disk,
but this will take a long time)  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp7nMn_7baqg.pgp
Description: PGP signature


Reply to: