On Wed, 6 Apr 2005, Voytek wrote:
> I have a compromised RH73 machine, until such time as I can pull it down,
> what can I do to identify and shut down any rogue processes/backdoors ?
I don't advise running for long... but... write yourself a script like
this for starters...
#!/bin/bash
for R in `rpm -qa` do
echo "Checking package $R"
rpm -V $R
done
Then pipe the output to a file & if there's no reasonable explanation as
to why the files have changed, re-install that package with rpm --force
option.
Perhaps before you do that, just check
rpm -V rpm
rpm -qf `which ifconfig`
rpm -V <package mentioned>
rpm -qf `which ps`
rpm -V <package mentioned>
rpm -qf `which init`
rpm -V <package mentioned>
rpm -qf `which passwd`
rpm -V <package mentioned>
Once you're sure you've got the real 'ps' and 'netstat' utilities, use it
to find & kill off any processes you don't recognise - remove the binaries
first. In fact, any service you can live without, remove it. Once you
think you've got things pretty sane, verify the boot setup - maybe install
a new stock standard kernel & glibc for good measure (see fedoralegacy at
your local mirror site) & reboot - fingers crossed that actually works.
In my experience so far on hacked systems there's nearly always binaries
changed that rpm -V picks up. Also mystery stuff in /tmp and /dev and /var
and /lib.
Having said all that, the absolute best way is to install a new system on
a new hard disk at home/office and do your best to make it secure -
perhaps the bare minimum of software - maybe copy the install CD's to some
spare directory, go on site & plug that in with the old drive on another
bus (or get somebody to do that for you). Then selectively copy *data*
from the old system. Once it's pretty right remove the old drive, maybe
purge the copy of the install CD's (you can always use the mirror sites).
Oh yeah, leave the old drive unmounted unless you're actively working on
stuff - slightly less chance that anything will accidently get run.
--
---<GRiP>---
** ROOM FOR RENT $120pw (neg) near Newington Shops 525/401 buses **
Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist,
Linux Guru, SLUG President, AUUG and Linux Australia member, Sydney
Flashmobber, Tenpin Bowler, BMX rider, Walker, Raver & rave music
lover, Big kid that refuses to grow up. I'd make a good family pet,
take me home today!
Some people actually read these things it seems.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
