[PLUG] Got hacked last night - HELP!
Michael Rasmussen
mikeraz at patch.com
Tue Oct 5 06:54:03 UTC 2004
On Mon, Oct 04, 2004 at 08:18:51PM -0700, Paul Johnson wrote:
> > Unplug from the net
> > configure IP tables
> > get chkrootkit - http://www.chkrootkit.org/
> > clean system
>
> What do you mean "clean system?" Once you're compromised, that's it!
> It's reinstall time!
Russ, your quoting of my message left out a VERY important line:
run rpm -Va and figure out anything that fails the comparison
That's verifies every installed system binary and config file on your
system and prints a list of those without matching MD5 signatures.
To quote from the man page:
rpm {-V|--verify} [select-options] [verify-options]
Verifying a package compares information about the installed files in
the package with information about the files taken from the package
metadata stored in the rpm database. Among other things, verifying
compares the size, MD5 sum, permissions, type, owner and group of each
file. Any discrepencies are displayed. Files that were not installed
from the package, for example, documentation files excluded on instal-
lation using the "--excludedocs" option, will be silently ignored.
The package selection options are the same as for package querying
(including package manifest files as arguments). Other options unique
to verify mode are:
It's trivial to take the output and work through your system verifying things
like a failed MD5 sum on /etc/init.d/sshd is a change you made or a change
someone else made.
It's also highly instructive work.
If one is concerned about the integrity of rpm and the rpm database, those can
be reinstalled from CD before performing the task.
--
Michael Rasmussen, Portland Oregon
Be appropriate && Follow your curiosity
http://meme.patch.com/memes/BicycleRiding
Get Fixed: http://www.dampfixie.org
The fortune cookie says:
In specifications, Murphy's Law supersedes Ohm's.
More information about the PLUG
mailing list