On Tue, Dec 03, 2002 at 07:20:56AM -0600, Steve Strong wrote:
> the file exists and has the permissions you list. I've re-installed the
> passwd package from the CD, this should be the original, yes?
> steve
You'd best also check the extended attributes via 'lsattr'.
Contrary to "common knowledge", I've had no problem "de-rootkit"ing
several cracked systems. (OTOH, I've been working in Unix since 1980;
that may have something to do with it.) Essentially, there are only so many
places to start programs; there are only so many critical commands they can
attack; and there are only so many ways they can hide their footsteps.
There are a few preparatory steps that are necessary.
1. Have a known good backup on disk somewhere. NOT on a machine
at risk. (I actually run a 'tar' system backup on a
per-partition basis to a network-mounted removabel drive.)
2. Squirrel away some critical commands. At a minimum, tar,
ps, ls, ifconfig, passwd, login, rpm. Check that they don't
need shared libraries--if they do, copy those, too.
Keep chkrootkit in the 'safe' location(s), too.
3. Run chkrootkit daily on at-risk systems. Also, daily check for
'strange' files in /tmp and /usr/tmp. These will commonly be
.files (e.g., .local).
4. At the first sign of trouble--something behaves 'funny',
strange files, or a complaint from chkrootkit--take the system
off-net and start your security audit. Injection points
are /etc/rc.d, /etc/inittab, and the various crontabs and
at jobs--this is where they'll try to start and re-start their
own programs.
As of step (4), the job shifts from mechanics to artform. They'll try
to preserve the time/date stamp on normal commands such as 'ps',
but commonly will fail to catch everything--especially in rc files or
their own temp directories. Once you can nail a date and hour, search
the whole system for any file created or modified on that date/time.
Your logs will, generally, be worthless unless you've also sent them to
another system (which should be firewalled) and/or to a hardcopy printer
or write-only media. Run RPM to validate packages. And especially look
for anything with attributes set via 'chattr'. Virtually _nothing_ uses
this in a stock system--any set attributes are warning signs that they've
been there.
The whole process takes me ~60-90 minutes. Oh, and if you've good
outbound rules on your firewall, they often can't clean up neatly.
I've caught IP addresses and destination mail addresses and machine
FQDNs this way, too.
G'luck,
--
Dave Ihnat
[EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
