[PLUG] Got hacked last night - HELP!

Michael Rasmussen mikeraz at patch.com
Tue Oct 5 06:54:03 UTC 2004


On Mon, Oct 04, 2004 at 08:18:51PM -0700, Paul Johnson wrote:
> > Unplug from the net
> > configure IP tables
> > get chkrootkit - http://www.chkrootkit.org/
> > clean system
> 
> What do you mean "clean system?"  Once you're compromised, that's it!
> It's reinstall time!

Russ, your quoting of my message left out a VERY important line:

   run rpm -Va and figure out anything that fails the comparison

That's verifies every installed system binary and config file on your
system and prints a list of those without matching MD5 signatures.  
To quote from the man page:

    rpm {-V|--verify} [select-options] [verify-options]

    Verifying  a  package compares information about the installed files in
    the package with information about the files  taken  from  the  package
    metadata  stored  in  the  rpm database.  Among other things, verifying
    compares the size, MD5 sum, permissions, type, owner and group of  each
    file.   Any discrepencies are displayed.  Files that were not installed
    from the package, for example, documentation files excluded on  instal-
    lation using the "--excludedocs" option, will be silently ignored.

    The  package  selection  options  are  the same as for package querying
    (including package manifest files as arguments).  Other options  unique
    to verify mode are:

It's trivial to take the output and work through your system verifying things
like a failed MD5 sum on /etc/init.d/sshd is a change you made or a change 
someone else made. 

It's also highly instructive work.

If one is concerned about the integrity of rpm and the rpm database, those can
be reinstalled from CD before performing the task.

-- 
    Michael Rasmussen, Portland Oregon  
  Be appropriate && Follow your curiosity
 http://meme.patch.com/memes/BicycleRiding
   Get Fixed:  http://www.dampfixie.org
  The fortune cookie says:
In specifications, Murphy's Law supersedes Ohm's.





More information about the PLUG mailing list