By the way: Can dpkg check the files in my filesystem against the version which is in the packages database? So i can verify if the binary was modified. Then the only thing i need is a signing of the dep-packages and the database itself (perhaps with an external key). Is something like this possible or is it planned?
Oliver > -----Original Message----- > From: Lukas Eppler [mailto:[EMAIL PROTECTED] > Sent: Donnerstag, 12. Juli 2001 10:36 > To: Alvin Oga; kath > Cc: [email protected] > Subject: Re: was I cracked? (rpc.statd, new version) > > > Thank you all for the hints. > I think I will install tripwire for the future. I didn't have > it up to now, > so for the moment it does not tell me much. The hacked > machine is the only > one with 2.2 I control, so checking the binaries would > involve unpacking debs > by hand, I guess. I have looked at creation times and setuid > flags, and I > have run a portscan from outside and haven't found anything unusual. > So as Ethan said, I think I survived... > > I have tried the exploit myself from outside on my machine. > It produced a > similar entry in the logs, the script reported to have > 'failed', and my shy > test command (touch /blah) was not executed. This seems > evidence to me that > it was actually the old rpc.statd hole he/she tried to crack, > and I know my > version is safe (not because my own attack failed, but > because debian says > so). > I will > - install tripwire to observe more > - remove nfs-common (the machine is a fresh install, I > couldn't go over all > the services yet) > > Thank you for your help > > Lukas > > On Thursday, 12. July 2001 03.55, Alvin Oga wrote: > > i like a simple/stupid solution > > tar zcvf /safe_place_off_line/original_binaries.tgz \ > > /bin /lib /sbin/usr/{bin,sbin,lib} /etc > > > > ( its a quickie test... to compare the current binaries > > ( against what was the original > > > > if you still not sure... that they ADDED some of their own > > apps .... than run tripwire.... and wait and wait.. > > but than you'd have an answer if you have a good tripwire db going > > > > dozen different ways to identify if they got in and what they > > changed... choose your preferred way... > > > > c ua > > alvin > > > > On Wed, 11 Jul 2001, kath wrote: > > > You can check for modified binaries with tripwire. > > > > > > If this was a decent hacker or even a script kiddie using > a good tool, > > > they probably would have purged your logs of all evidence. > > > > > > So either: > > > > > > a) They are second rate > > > or > > > b) They didn't get in > > -- > Tempobrain AG - Dufourstrasse 179 - 8008 Zürich > http://www.tempobrain.com | icq # 5856 2285 > +44 20 7233 6206 | +44 79 8037 7312 > +41 1 389 29 29 | +41 76 373 07 87 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] >
