[ale] Comprimised System

David Muse david.muse at firstworks.com
Tue Jan 11 15:06:25 EST 2005


All good points.  I hadn't thought about those possibilities at all. 
Guess I got lucky in the past.  Or maybe I just got fooled into thinking
I got lucky.

On Tue, 11 Jan 2005 13:48:51 -0500
Jason Day <jasonday at worldnet.att.net> wrote:

> On Tue, Jan 11, 2005 at 12:31:56PM -0500, David Muse wrote:
> [snip]
> 
> > Once you have a clean rpm installation, reboot and run:
> > 	rpm --verify --all
> > 
> > It will report any file that has been modified from it's distributed
> > form.
> 
> Unless the rootkit author modified the boot process to check that the
> installed rpm is the "correct" one at boot, and if not, either restore
> the cracked version or do nasty things to the system.
> 
> [snip]
> 
> > Once you have restored your system tools, you can trust their
> > output. You know, for example that ps will report all processes and
> > not hide any.
> 
> Unless the rootkit author installed a process that periodically checks
> that the installed system tools are the "correct" ones.  Or installed
> a kernel module that leaves the system tools intact, but intercepts
> some choice syscalls and returns bogus values.
> 
> NEVER assume that the attacker is not smarter than you are, or that
> you can think of everything the attacker might have done.  As others
> have said, the only way to be sure you've disinfected a system is to
> do a complete wipe and rebuild, or swap the drives.  You're really
> taking a risk if you don't.  If a rebuild is really not an option
> right now, you'll just have to weigh the risks.  But keep in mind, if
> the attacker thinks you're onto him, he may decide to cover his tracks
> by simply deleting everything on the disks.  This happened to me once.
> 
> Jason
> -- 
> Jason Day                                       jasonday at
> http://jasonday.home.att.net                    worldnet dot att dot
> net
>  
> "Of course I'm paranoid, everyone is trying to kill me."
>     -- Weyoun-6, Star Trek: Deep Space 9
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 



More information about the Ale mailing list