[ale] Comprimised System

Jason Day jasonday at worldnet.att.net
Tue Jan 11 13:52:44 EST 2005


On Tue, Jan 11, 2005 at 12:31:56PM -0500, David Muse wrote:
[snip]

> Once you have a clean rpm installation, reboot and run:
> 	rpm --verify --all
> 
> It will report any file that has been modified from it's distributed
> form.

Unless the rootkit author modified the boot process to check that the
installed rpm is the "correct" one at boot, and if not, either restore
the cracked version or do nasty things to the system.

[snip]

> Once you have restored your system tools, you can trust their output. 
> You know, for example that ps will report all processes and not hide
> any.

Unless the rootkit author installed a process that periodically checks
that the installed system tools are the "correct" ones.  Or installed a
kernel module that leaves the system tools intact, but intercepts some
choice syscalls and returns bogus values.

NEVER assume that the attacker is not smarter than you are, or that you
can think of everything the attacker might have done.  As others have
said, the only way to be sure you've disinfected a system is to do a
complete wipe and rebuild, or swap the drives.  You're really taking a
risk if you don't.  If a rebuild is really not an option right now,
you'll just have to weigh the risks.  But keep in mind, if the attacker
thinks you're onto him, he may decide to cover his tracks by simply
deleting everything on the disks.  This happened to me once.

Jason
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9



More information about the Ale mailing list