On 15 Apr 2002, Joshua Newman wrote:

> The box hasn't been rebuilt yet.
>
> The only things that have been changed are that some rpm's have been
> added (fileutils, findutils, net-tools, passwd, procps, xinetd,
> syslogd, sysvinit, tcp_wrappers, and psmisc.

okay, if these are dynamically linked then you can be sure they are still
trojaned. basically, you can't trust anything on that machine at this
point. ideally, you should boot from known good media _or_ boot the
machine and mount a cdrom filesystem containing statically linked tools to
examine the machine.

> I did a pre and post rpm ps, df, find, du and diff'd them and made
> some other files in preparation for backup but that's it.

what were the results of the diff?

> How can I get the info to you.
> It's not connected now and I'm a little nervous about connecting to my
> home router.
>
> If you give me some instructions I'd be happy to get you whatever you
> may want.

well, you did some stuff to the machine so we might not be able to find
out how extensive the damage was. how big is the filesystem and how big is
the disk it currently resides on? basically, if you had an extra drive or
a tape drive, you could dd the filesystem out to tape and then pass that
along. i don't recommend you bring it back up on the net before rebuilding
it.

when you rebuild it, before putting it online, i can give you some
pointers to things you will definately want to do in addition to disabling
all unneccessary services. the first thing i would recommend is running
ipchains. the second thing is to use the latest versions of any network
services you want to run (openssh, etc) and don't rely on the versions
that came with your install media. then, i would install a tool like
tripwire and baseline your install in addition to running log proccessing
scripts that look for interesting stuff appearing in the logs.

if anyone is interested, i can come up with a checklist of things to do to
secure your box. some of it is a little extreme, so you need to decide
what your risk tolerance is and then follow accordingly.

-- 
christian void - [EMAIL PROTECTED]
www.morphine.com/void/
gpg key available on request



_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits

Reply via email to