David Guntner wrote: >civileme grabbed a keyboard and wrote: > >>David Guntner wrote: >> >>>Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time} >>>and {time} >>> >>>Question: Based on this, is my system likely to have been compromised or >>>not? For that matter, what's wted? >>> >>wted -- wtmp editor >> >>http://www.cleo-and-nacho.com/cnd/text/hackkit.txt >> >>Reading the whole doc will be educational. The grammar isn't perfect >>but the message is unusually clear. >> > >I'm reading it now, and I am not heartened by what I see.... > >Is there anything that could cause the checker to trip on that? I.E., is >there something else which could result in it thinking that something was >removed from wtmp? > >I'm pretty careful in my password choices and am on the mandrake-security >announce list so that I know when a fix has been released (and I put it in >right away), so I'm really curious as to how someone could have gotten in, >installed that program, run it to cover up whatever else it was they did, >and then remove it. > >And, I'm *not* enjoying the prospect of having to wipe and reinstall my >system.... :-/ > >Any other thoughts on the subject? Or is it just time to "push the button, >Max?" (Probably no one will get the joke, but I'm sure you understand the >meaning... :) > > --Dave > > >------------------------------------------------------------------------ > >Want to buy your Pack or Services from MandrakeSoft? >Go to http://www.mandrakestore.com > Well, you noted I was very terse in my message. I hate to be the bearer of bad news. But first try Put in CD#1 cd /mnt/cdrom rpm -ivh --force basesystem-8.2-1mdk.i586.rpm
This will generally blow away anything done to /bin /sbin or /lib Use the now good ls and rgrep tools to scan other directories for martians--if you see any, by God, push the button. If you are in an unfriendly environment it is time to consider a separate firewall machine between you and the web. Mandrake SNF is exceptionally conservative, not even allowing a DMZ, and is configurable from inside via a web browser. MNF is coming soon and will have stateful firewalling which is an additional degree of security. Now as to how this may happen, have you ever connected via ftp? Or downloaded by http? There is a way (and damned near undetectable if you are more than a few hops from both client and server) to desynchronize the ends of a TCP connection and become a machine in the middle, acting as server to the client and client to the server. (There is also another way of doing this with https, sometimes called Man-in-the-middle.) These are very sophisticated attacks run by knowledgeable blackhats and not by script kiddies. To avoid such problems, NEVER accept self-signed certirficates. NEVER download pure binaries--download source unless it is something like a full iso. Grab md5sums for what you do download from a different mirror (and check them). Don't download isos for which there are no md5sums available. (Exception: Really old stuff or really new--crackers are unlikely to have infected copise to supply. Civileme
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com