Re: Houston, I May Have a Problem (chkrootkit Results)

To: Alvin Oga <aoga@ns.Linux-Consulting.com>
Cc: Scarletdown <gsutton9503@wavecable.com>, debian-user@lists.debian.org
Subject: Re: Houston, I May Have a Problem (chkrootkit Results)
From: Bradley M Alexander <storm@tux.org>
Date: Sun, 29 Aug 2004 07:47:29 -0400
Message-id: <[🔎] 20040829074729.J6560@gwyn.tux.org>
In-reply-to: <[🔎] Pine.LNX.3.96.1040829004724.28517A-100000@Maggie.Linux-Consulting.com>; from aoga@ns.Linux-Consulting.com on Sun, Aug 29, 2004 at 01:01:14AM -0700
References: <[🔎] 200408282159.39192.gsutton9503@wavecable.com> <[🔎] Pine.LNX.3.96.1040829004724.28517A-100000@Maggie.Linux-Consulting.com>

On Sun, Aug 29, 2004 at 01:01:14AM -0700, Alvin Oga wrote:
> 
> hi ya scarledown
> 
> On Sat, 28 Aug 2004, Scarletdown wrote:
> 
> > I'm in the process of archiving and backing up my documents, images, 
> > media, and other stuff I want to keep now, about 425MB worth of stuff.  
> 
> cool ... luckily ... the culprit didnt do anything worst to your machine
> 
> however, you should have already had backups ..
> 
> now that you know you probably have been cracked, its too late to start
> doing backups, and definitely do NOT overwrite any old backups since
> they contain good backups and your current system ( backup you're doing
> now ) is suspect and all you might be doing is saving their trojan
> and restoring it again on your new install
> 
> ---
> we know you been cracked ( evidenced by your chkroot )
> with top, ps, etc being infected 
> 
> the serious problem is ... lest it occur again for the same reason ...
> 	- how did that happen ... why havent other boxes been cracked
> 	- how did they get in
> 	- who got in ..
> 	- how long have they been in
> 	- what other machines have they cracked
> 	- why they got in.... well probably for fun in this case

Since he was in the process of rebuilding, its probably too late at this
juncture for him to do any kind of forensics.
 
> 	- on and on ..
> 
> 	- and if the attacking site came from goes to *.gov server,
> 	than call the local fbi branch and chase down the attacker
> 
> - if you simply reinstall ... you have a high risk they will revisit
>   and get back into your new box too

Which is why I suggested he deploy IDS/Firewall/logwatcher etc.

Unfortunately, usability times security measures tend to be a constant. The
more secure a box is, the more of a PITA it tends to be to use. As an
extreme example, the only truly secure box is one which is disconnected
from the network, unplugged, packed in concrete and fired into the
sun...Then again, its not too usable at that point. That said, you have to
strike a best balance between security and your intended use for the box. 

--
--Brad
========================================================================
Bradley M. Alexander                       |
IA Analyst, SysAdmin, Security Engineer    |   storm [at] tux.org
Debian/GNU Linux Developer                 |   storm [at] debian.org
========================================================================
Key fingerprints:
DSA 0x54434E65: 37F6 BCA6 621D 920C E02E  E3C8 73B2 C019 5443 4E65
RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A  C8 9C F0 93 75 A0 01 34
========================================================================
Ever notice when you blow in a dog's face he gets mad at you, but
when you take him in a car he sticks his head out the window?
                                                --George Carlin

Reply to:

References:
- Re: Houston, I May Have a Problem (chkrootkit Results)
  - From: Scarletdown <gsutton9503@wavecable.com>
- Re: Houston, I May Have a Problem (chkrootkit Results)
  - From: Alvin Oga <aoga@ns.Linux-Consulting.com>

Prev by Date: Re: -- OFFLINE -- Re: Working backup solution?
Next by Date: Re: Anybody know how to install the sound driver of adi ad1888 codec?
Previous by thread: Re: Houston, I May Have a Problem (chkrootkit Results)
Next by thread: Re: Houston, I May Have a Problem (chkrootkit Results)
Index(es):
- Date
- Thread