On 15 Apr 2002, Joshua Newman wrote: > The box hasn't been rebuilt yet. > > The only things that have been changed are that some rpm's have been > added (fileutils, findutils, net-tools, passwd, procps, xinetd, > syslogd, sysvinit, tcp_wrappers, and psmisc.
okay, if these are dynamically linked then you can be sure they are still trojaned. basically, you can't trust anything on that machine at this point. ideally, you should boot from known good media _or_ boot the machine and mount a cdrom filesystem containing statically linked tools to examine the machine. > I did a pre and post rpm ps, df, find, du and diff'd them and made > some other files in preparation for backup but that's it. what were the results of the diff? > How can I get the info to you. > It's not connected now and I'm a little nervous about connecting to my > home router. > > If you give me some instructions I'd be happy to get you whatever you > may want. well, you did some stuff to the machine so we might not be able to find out how extensive the damage was. how big is the filesystem and how big is the disk it currently resides on? basically, if you had an extra drive or a tape drive, you could dd the filesystem out to tape and then pass that along. i don't recommend you bring it back up on the net before rebuilding it. when you rebuild it, before putting it online, i can give you some pointers to things you will definately want to do in addition to disabling all unneccessary services. the first thing i would recommend is running ipchains. the second thing is to use the latest versions of any network services you want to run (openssh, etc) and don't rely on the versions that came with your install media. then, i would install a tool like tripwire and baseline your install in addition to running log proccessing scripts that look for interesting stuff appearing in the logs. if anyone is interested, i can come up with a checklist of things to do to secure your box. some of it is a little extreme, so you need to decide what your risk tolerance is and then follow accordingly. -- christian void - [EMAIL PROTECTED] www.morphine.com/void/ gpg key available on request _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
