Re: Is my system compromised

To: debian-user@lists.debian.org
Subject: Re: Is my system compromised
From: Gene Heskett <gene.heskett@verizon.net>
Date: Sun, 05 Feb 2006 09:05:09 -0500
Message-id: <[🔎] 200602050905.09445.gene.heskett@verizon.net>
Reply-to: gene.heskett@verizon.net
In-reply-to: <[🔎] 3968.216.190.168.10.1139140325.squirrel@www.dmiyu.org>
References: <[🔎] 20060205024738.GA21681@nitpicking.com> <[🔎] Pine.LNX.3.96.1060204190028.16805A-100000@Maggie.Linux-Consulting.com> <[🔎] 3968.216.190.168.10.1139140325.squirrel@www.dmiyu.org>

On Sunday 05 February 2006 06:52, grey@dmiyu.org wrote:
>    Yay, more of Alvin's nonsense!
>
>> personally, it is 1000x easier to fix and remove the security
>> problems than it would be to start from step -1 reinstalls
>
>    Uh no, it's not if you do it properly.
>
>> ... and spend
>> another week or month to harden and verify all the all configs
>> and user info ( i say, if you're "doing it right", it will tke you
>> about 3 days to a week to harden the new box and verify it )
>
>    Personally I spend about 2-3 minutes doing this.  It's called
> regular backups of /etc and other key locations of configuration
> data.  Pull a copy prior to the compromise.
>
>> when you reinstall, you still cannot be guaranteed that the trojans
>> is not going to be restored by your reinstalls and restores from
>> backup
>
>     That's why, dundunDUNNNNN, he said "copy only data, not
> programs." Backing up data, not programs, means the chances of you
> getting anything malicious in there is extremely low.  In fact I dare
> say nonexistant
>
>>  - how can you guarantee that the trojans is not in the backups ?
>
>    Backup data areas, not areas in the path?  Just a thought.
>
>> the trick is that you know how to verify the binaries, the libraries
>> and the directory tree ... and can find what is NOT supposed to be
>> there
>
>    Which is extremely hard to do on a compromised system where the
> basic tools you rely on to detect such things have been modified to
> hide the very things you're looking for.
>
What he said, amen amen.  I did clean up a rootkit once, years ago, but 
it took about 3 days to check everything.  Fortunately, the perp DIDN'T 
put in a new chattr, it turn out to be a very valuable tool  to find 
his crap.

A re-install is quicker, then get older backups from amanda's stash.
>--
>Steve Lamb

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

Reply to:

References:
- Re: Re: Is my system compromised
  - From: Carl Fink <carl@fink.to>
- Re: Re: Is my system compromised
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>
- Re: Re: Is my system compromised
  - From: grey@dmiyu.org

Prev by Date: Re: Kernel Compilation
Next by Date: Re: Re: Is my system compromised
Previous by thread: Re: Re: Is my system compromised
Next by thread: Re: Re: Is my system compromised
Index(es):
- Date
- Thread