[ale] Comprimised System

Jay Finch retief at larp.com
Tue Jan 11 12:26:51 EST 2005


Hi Nick!

Having dealt with having my system compromised (in one form or another) 5
times in the last 5 years, I can offer some advice:

After having looked everywhere, and trying to find something that would
remove rootkits & restore a system's integrity, the only viable solution
is to reinstall.  (I've spent hours and hours looking over all the
Security websites, all the Rootkit websites, etc.)

The problem resides in the fact that because most rootkitters are smart
enough to tamper or remove logs/logging, so you can never really be sure
of WHICH programs have been tampered with - And that (potentially) keeps
you open for continued or future exploits.

-----

Now with that said, I don't know if upgrading your machine from RH 7.3 to
Enterprise would overwrite/replace the compromised files, as well as
securing your machine.  I never tried that path honestly.

-----

Bob Toxen, who is a regular reader of this list, might be able to chime in
and provide some assistance.  I believe his website is:
http://www.verysecurelinux.com/

-----

I hope your situation gets better, and if you need someone to commiserate
with, feel free to contact me. :~)

Cheers!
Jay



> We have a system at work that has been comprimised.  It looks like
> they got in and used several different executable files, I've got the
> command history however I don't think it is complete.  For example I
> see that direcotories were created, but I never saw that they were
> removed and I can't find them.  It looks like about 5 ftp sites were
> hit and there was about 3 wget commands to pull down files.  Also
> apache was downloaded and installed, even though it was already
> running on the system.  So here's my question, I know that rebuilding
> the system is the only way to be sure that there is nothing else
> hidden on it, but that's not an option at this point.  Are there any
> good HowTo's or books out there that can give me some direction on how
> to check they system for irregularites?  This is the first time I've
> dealt with this so I would like to learn as much as I can about it,
> I've already determined how they got in.  A user made thier password
> the same as thier login name, which obviously is no longer allowed.
> BTW the system is running Red Hat 7.3.
>
> Nick
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>




More information about the Ale mailing list