consider using tripwire on your computers in the future. This way you can create a database of md5sums of all important programs and store them on a disk in your drawer. Then you'll know what was hacked and what wasn't.
-rishi On 15 Sep 2001, Momchil Velikov wrote: > >>>>> "Dimitri" == Dimitri Maziuk <[EMAIL PROTECTED]> writes: > > Dimitri> In linux.debian.security, you wrote: > >> I am curious if the following is an example of a buffer overflow. I > >> noticed this in my syslog - and the following day had someone logged in > >> from an IP I'm not aware of. > >> > >> I changed the passwords - and added an entry to the input chain to block > >> the IP, but am wondering what other things I should do? > >> > >> Should I remove /bin/sh for something less obvious as a general > >> protection from buffer overflows? > > Dimitri> If you suspect your machine was r00ted, > Dimitri> 1. Take it off the net _now_. > Dimitri> 2. If you want to do a post-mortem, boot from "known good" CD or plug > Dimitri> the hd into a "known good" box. > Dimitri> 3. Post mortem or not, wipe everything out (as in "fdisk") and > reinstall > Dimitri> from scratch. > > Frankly, this looks a bit too harsh. Of course, it depends on the > importance of the machine and the data on it. > > Dimitri> The reason is that the intruder could install hacked versions of > utilities > Dimitri> like ps, ls, lsmod etc. that won't show backdoor processes and > hacked files, > Dimitri> and/or a kernel module that does the same at OS level. Your logs may > have > Dimitri> been sanitized, too. You cannot trust any program on a r00ted box. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > In theory, yes. In practice, one can (marginally) trust some of the > programs, e.g. is it likely that a rootkit has changed ``tar'' ? Or > ``apt-get'' ? Or ``tcsh'' ? > > You can use ``tar'' to find out if ``ls'' was changed. Use ``echo'' to > list directories and compare with ``ls'' and ``find''. Use ``tcsh'' > builtin ``ls-F''. > > I guess there are other means to detect a rootkit, described somewhere > on the web. (Hopefully, mozilla is not cracked to conceive such > information :-) > > Regards, > -velco > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >