On 11/13/2014 03:57 AM, Erwan David wrote:
I just got a call form police, that they have arrested a pirate who "tried" to connect to one of my (debian) servers. They tell me he is gifted, but since the policewoman I had one phone mixes server, web site and email address, it may not be completely accurate. However, I'd prefer be sure my server was not compromised, and at the lower possibe cost (in time and work). Is there a way to check the packages/installed files from outside sources (I may boot a fresh live system in order to have clean utilities), or even provoke a reinstall with a new download of the whole system ? Thank you.
It's clearly not the most efficient way, but I use debsums against my local repos, like this one line script:
# cat check-debsums
debsums -ca --generate=all --deb-path=/mnt/$1/install/deblinks
The deblinks directory just contains links to all debs in the repo:
# cat make-deblinks
DEBIAN_DEST=$1
#rm -rf $DEBIAN_DEST/deblinks.old
rm -rf $DEBIAN_DEST/deblinks
#mv $DEBIAN_DEST/deblinks $DEBIAN_DEST/deblinks.old
mkdir $DEBIAN_DEST/deblinks
cd $DEBIAN_DEST/deblinks
find $DEBIAN_DEST/debian* -regex .*\\.deb$ | while read filepath
do
#echo "$filepath"
file=`echo $filepath | sed 's/.*\///'`
#echo $file' would be linked to '$filepath
ln $filepath $file
done
------------------
As I said, not efficient, but who cares? It's easy and I don't have
anything public facing, and it only takes a few minutes to check each
upgrade. Obviously the safest thing is reinstall from the package list.