On Mon, Sep 13, 2004 at 10:06:05PM -0400, Adam Aube wrote:
> Kevin Mark wrote:
>
> > There are no top secret things on my system, so full reinstall is not an
> > urgency.
>
> You have disk space and bandwidth - many times that's all an attacker wants.
>
> > I also checked 'top' for any unexpected processes and there was none.of
> > course if top,ps and the kernel were replaced, then maybe I wouldn't know
>
> 1) Boot from a live cd and chroot to your local system
> 2) Use debsums (preferably copied from the live CD) to verify the integrity
> of the libraries and binaries in your installed packages
> 3) Reinstall packages whose binaries or libraries do not match
>
> Of course, the attacker could have trojaned your local apt cache, debsums'
> dependencies, apt-get/aptitude, dpkg, your startup scripts, etc.
>
> Eventually it just becomes easier to back up your data and wipe and
> reinstall the system then to try to fully verify that the system is secure.
>
> Adam
>
Hi Adam,
8GB (1.6 left) does not a warez archive make :-)
I looked at the ssh attack articles and the attacker left my root
.bash_history and /var/log/auth.log and attemted to download some tgz.
As the article suggesed, this guy (at least this time) was not a guru.
I check the dates of some of the suggested bin's like ps, md5sum and
they were the orig. As I said, after a dist-upgrade of 300 pkgs, much
will not be UNtouched. of couse, dist-upgrades do not affect ALL pkgs,
like some of the core one, so that would have to be 'reinstalled'.
I have not seen unexpeced segfaults, unexpected ssh activity (now sshd
is not allowing remote root logins!) or other wierdness. When I have the
inclination, I'll have fun with the new debian-installer.
Cheers,
-Kev
--
(__)
(oo)
/------\/
/ | ||
* /\---/\
~~ ~~
...."Have you mooed today?"...
Attachment:
signature.asc
Description: Digital signature