Re: checking if my system is compromised
On Sat, Apr 07, 2007 at 08:33:59PM -0400, Michael Pobega wrote:
> On Sat, Apr 07, 2007 at 03:33:34PM -0700, Kamaraju Kusumanchi wrote:
> > Hi all
> >
> > I am using Debian Etch (currently testing). Today from the abuse
> > department of my ISP, I received the following warning (pasted in
> > the end). My ISP has suspended my internet connection due to this.
> > However, I am not able to track down the cause of the problem. I
> > am wondering if anyone could help me out or tell me a better place
> > to contact...
Should the OP consider that he _has_ been compromized?
I would suggest you read the Securing Debian Manual (package
harden-doc). Read it all, but start with chapter 11: After the
Compromize (incident response). Assuming that you have done backups
anyway, pull the plug. Don't boot that hard drive again; either move it
to another system or boot a rescue CD to mount and examine it without
running any of the binaries on it (mount all partitions -noexec, ro).
The manual also points you to:
http://www.cert.org/tech_tips/root_compromise.html
After you examine logs and such, you may determine that you weren't
compromised after all. You've got the weekend, use it to check out your
system off-line so you have some amunition with your ISP.
You can also pull off any information that you didn't include in your
backups, e.g. a list of packages installed. Just don't copy verbatim
from this disk to a clean system.
Good luck,
Doug.
Reply to: