Dave: GREAT information. Thanks. steve On Tue, 2002-12-03 at 08:39, Dave Ihnat wrote: > On Tue, Dec 03, 2002 at 07:20:56AM -0600, Steve Strong wrote: > > the file exists and has the permissions you list. I've re-installed the > > passwd package from the CD, this should be the original, yes? > > steve > > You'd best also check the extended attributes via 'lsattr'. > > Contrary to "common knowledge", I've had no problem "de-rootkit"ing > several cracked systems. (OTOH, I've been working in Unix since 1980; > that may have something to do with it.) Essentially, there are only so many > places to start programs; there are only so many critical commands they can > attack; and there are only so many ways they can hide their footsteps. > > There are a few preparatory steps that are necessary. > > 1. Have a known good backup on disk somewhere. NOT on a machine > at risk. (I actually run a 'tar' system backup on a > per-partition basis to a network-mounted removabel drive.) > > 2. Squirrel away some critical commands. At a minimum, tar, > ps, ls, ifconfig, passwd, login, rpm. Check that they don't > need shared libraries--if they do, copy those, too. > Keep chkrootkit in the 'safe' location(s), too. > > 3. Run chkrootkit daily on at-risk systems. Also, daily check for > 'strange' files in /tmp and /usr/tmp. These will commonly be > .files (e.g., .local). > > 4. At the first sign of trouble--something behaves 'funny', > strange files, or a complaint from chkrootkit--take the system > off-net and start your security audit. Injection points > are /etc/rc.d, /etc/inittab, and the various crontabs and > at jobs--this is where they'll try to start and re-start their > own programs. > > As of step (4), the job shifts from mechanics to artform. They'll try > to preserve the time/date stamp on normal commands such as 'ps', > but commonly will fail to catch everything--especially in rc files or > their own temp directories. Once you can nail a date and hour, search > the whole system for any file created or modified on that date/time. > Your logs will, generally, be worthless unless you've also sent them to > another system (which should be firewalled) and/or to a hardcopy printer > or write-only media. Run RPM to validate packages. And especially look > for anything with attributes set via 'chattr'. Virtually _nothing_ uses > this in a stock system--any set attributes are warning signs that they've > been there. > > The whole process takes me ~60-90 minutes. Oh, and if you've good > outbound rules on your firewall, they often can't clean up neatly. > I've caught IP addresses and destination mail addresses and machine > FQDNs this way, too. > > G'luck, > -- > Dave Ihnat > [EMAIL PROTECTED] > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list > --
Steve Strong Computer Science Teacher Washington High School 2205 Forest Dr. SE Cedar Rapids, Iowa 52403 phone: 319-398-2161 email: [EMAIL PROTECTED] web: http://crwash.org -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list