[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

On Tue, 11 Jan 2005 13:48:51 -0500
Jason Day <jasonday at worldnet.att.net> wrote:

> On Tue, Jan 11, 2005 at 12:31:56PM -0500, David Muse wrote:
> [snip]
> 
> > Once you have a clean rpm installation, reboot and run:
> > 	rpm --verify --all
> > 
> > It will report any file that has been modified from it's distributed
> > form.
> 
> Unless the rootkit author modified the boot process to check that the
> installed rpm is the "correct" one at boot, and if not, either restore
> the cracked version or do nasty things to the system.
> 
> [snip]
> 
> > Once you have restored your system tools, you can trust their
> > output. You know, for example that ps will report all processes and
> > not hide any.
> 
> Unless the rootkit author installed a process that periodically checks
> that the installed system tools are the "correct" ones.  Or installed
> a kernel module that leaves the system tools intact, but intercepts
> some choice syscalls and returns bogus values.
> 
> NEVER assume that the attacker is not smarter than you are, or that
> you can think of everything the attacker might have done.  As others
> have said, the only way to be sure you've disinfected a system is to
> do a complete wipe and rebuild, or swap the drives.  You're really
> taking a risk if you don't.  If a rebuild is really not an option
> right now, you'll just have to weigh the risks.  But keep in mind, if
> the attacker thinks you're onto him, he may decide to cover his tracks
> by simply deleting everything on the disks.  This happened to me once.
> 
> Jason
> -- 
> Jason Day                                       jasonday at
&gt; <a  rel="nofollow" href="http://jasonday.home.att.net";>http://jasonday.home.att.net</a>                    worldnet dot att dot
&gt; net
&gt;  
&gt; &quot;Of course I'm paranoid, everyone is trying to kill me.&quot;
&gt;     -- Weyoun-6, Star Trek: Deep Space 9
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt; 


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00362" href="msg00362.html">[ale] Comprimised System</a></strong>
<ul><li><em>From:</em> wormfishin at gmail.com (Nick Travis)</li></ul></li>
<li><strong><a name="00368" href="msg00368.html">[ale] Comprimised System</a></strong>
<ul><li><em>From:</em> david.muse at firstworks.com (David Muse)</li></ul></li>
<li><strong><a name="00375" href="msg00375.html">[ale] Comprimised System</a></strong>
<ul><li><em>From:</em> jasonday at worldnet.att.net (Jason Day)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00381.html">[ale] Linux router help needed......again</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00383.html">[ale] Compromised System</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00375.html">[ale] Comprimised System</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00364.html">[ale] Compromised System</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00382"><strong>Date</strong></a></li>
<li><a href="threads.html#00382"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>