David Guntner wrote:
>civileme grabbed a keyboard and wrote:
>
>>David Guntner wrote:
>>
>>>Checking 'sniffer'... Checking 'wted'... 2 deletions found between {time}
>>>and {time}
>>>
>>>Question: Based on this, is my system likely to have been compromised or
>>>not? For that matter, what's wted?
>>>
>>wted -- wtmp editor
>>
>>http://www.cleo-and-nacho.com/cnd/text/hackkit.txt
>>
>>Reading the whole doc will be educational. The grammar isn't perfect
>>but the message is unusually clear.
>>
>
>I'm reading it now, and I am not heartened by what I see....
>
>Is there anything that could cause the checker to trip on that? I.E., is
>there something else which could result in it thinking that something was
>removed from wtmp?
>
>I'm pretty careful in my password choices and am on the mandrake-security
>announce list so that I know when a fix has been released (and I put it in
>right away), so I'm really curious as to how someone could have gotten in,
>installed that program, run it to cover up whatever else it was they did,
>and then remove it.
>
>And, I'm *not* enjoying the prospect of having to wipe and reinstall my
>system.... :-/
>
>Any other thoughts on the subject? Or is it just time to "push the button,
>Max?" (Probably no one will get the joke, but I'm sure you understand the
>meaning... :)
>
> --Dave
>
>
>------------------------------------------------------------------------
>
>Want to buy your Pack or Services from MandrakeSoft?
>Go to http://www.mandrakestore.com
>
Well, you noted I was very terse in my message. I hate to be the bearer
of bad news. But first try
Put in CD#1
cd /mnt/cdrom
rpm -ivh --force basesystem-8.2-1mdk.i586.rpm
This will generally blow away anything done to /bin /sbin or /lib
Use the now good ls and rgrep tools to scan other directories for
martians--if you see any, by God, push the button.
If you are in an unfriendly environment it is time to consider a
separate firewall machine between you and the web. Mandrake SNF is
exceptionally conservative, not even allowing a DMZ, and is configurable
from inside via a web browser. MNF is coming soon and will have
stateful firewalling which is an additional degree of security.
Now as to how this may happen, have you ever connected via ftp? Or
downloaded by http? There is a way (and damned near undetectable if you
are more than a few hops from both client and server) to desynchronize
the ends of a TCP connection and become a machine in the middle, acting
as server to the client and client to the server. (There is also
another way of doing this with https, sometimes called
Man-in-the-middle.) These are very sophisticated attacks run by
knowledgeable blackhats and not by script kiddies.
To avoid such problems,
NEVER accept self-signed certirficates.
NEVER download pure binaries--download source unless it is something
like a full iso.
Grab md5sums for what you do download from a different mirror (and check
them). Don't download isos for which there are no md5sums available.
(Exception: Really old stuff or really new--crackers are unlikely to
have infected copise to supply.
Civileme
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
