Security Incidents mailing list archives
Re: Ramen
From: Neil Long <neil.long () COMPUTING-SERVICES OXFORD AC UK>
Date: Tue, 23 Jan 2001 17:37:00 -0000
Matt, generally (well, actually 99.999% of the time), the rule is to totally reformat whenever there has been a root level compromise. Go to your old backups, restore from there. Have a stiff drink, for that box is history.My rule #0 is get an image copy before doing your rule #1. Yes, trying to "clean up" is nearly futile, but properly handling the incident is important.But for future reference, check the file attributes...One of the main reasons for doing my rule #0 is because you may not think of this until after you've already re-formatted, at which point its too late. There are lots of things you should check, including file attributes, but you won't remember them all, let alone do them all, in the three hour time window you might give yourself. I still suggest spending the extra hour or so to get an image copy first, which you can then come back to at a later date (even hand over to law enforcement if AFOSI calls you two years later and asks to see logs from the system -- this DOES happen.)But I wouldn't spend any more time on that box. It's rooted. Restore from backups. Take a look at Bastille and Tripwire for the future!As a learning experience, there is a lot you can gain from spending more time analyzing it, provided you have the time and you want to learn. Bastille helps prevent future problems, and Tripwire (as long as you don't get an LKM installed) can help identify future problems, but you don't get "in the trenches" learning if you never leave the couch. (P.S. Some things that come back from backups you DON'T want on your system, so even this advice should have its caveats.) -- Dave Dittrich Computing & Communications
All good advice from Dave ;-) Just to add that any host which has been broken via the Ramen worm is just as likely to have already been rootkitted by one of the many other scanners which have been sweeping by /16 net block for the past few months. Pre-conceptions are often not a good starting point. Pull the disk and mount it read-only or via an image is a much better. The Ramen script makes little or no attempt to hide its activities - not so for the others that have been going around. regards Neil