> -----Original Message----- > From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]] > Sent: Saturday, February 09, 2002 12:40 PM > To: Tina Embrey [mailto:[EMAIL PROTECTED]] > Cc: [EMAIL PROTECTED] > Subject: Re: HELP I've been cracked
> > My Debian 2.2 Potato and Woody Servers have been attacked > > by a cracker who has installed a 'root kit' and broke ps > > and several other core components of the OS. [...] > > > Is there any way to fix the broken apps, and get the system > > secured again ? > > None that are worth the risk. A full reinstall is the only > alternative we could recommend in good faith. Everything else > is not 100% guaranteed. I must second this comment. Frankly, there is no practical way to be certain of what has been compromised, thus the entire system is suspect. This may apply despite something like Tripwire being used, because it could be foiled by a particularly skilled blackhat (or poor installation). I know it probably isn't the answer you were hoping for, but I think most everyone would agree it's the best solution. There ARE some tools for detecting certain rootkits, but I mention this only because it could be educational for you to learn how they broke in and fooled around. One of these will find commonly-installed items that skript kiddies might use: $ apt-cache show chkrootkit You should NOT rely on this as your only means of intrusion detection, however. I would also discourage you from repairing the system based on the results you find with chkrootkit, because it may not be accurate, and/or there may be additional tampering elsewhere that it doesn't find. One of the things I did with my firewall was compile all the needed modules into the kernel, so that no additional modules can be loaded -- which is one way a hacker can install things. You might look into this, or perhaps use "LIDS", the Linux Intrusion Detection system. It's a kernel-based hardening program (for lack of a more concise term): $ apt-cache show lids-2.2.19 and http://www.lids.org > Please look for the security Debian howto at: > http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html An excellent security reference, with concepts that are good practice for all Linux boxen. Other suggested reading (not Debian-centric): http://staff.washington.edu/dittrich/R870/reacting.html http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq http://www.enteract.com/~lspitz/linux.html http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html Last but not least, once you have secured your machine as best you can, run a variety of security tools against it, such as Nessus, raccess, nmap and so forth. You might find additional holes that can be plugged. Hope that helps, Jeff Bonner -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]