Security Incidents mailing list archives
Re: Questions = Thanks
From: Devdas Bhagat <devdas () worldgatein net>
Date: Thu, 22 Nov 2001 11:47:06 +0530
On 22/11/01 00:18 +0100, Pascal Nobus wrote:
----- Original Message ----- From: "Ihsahn Diablo" <traktopika () hotmail com>So i have one more thing to ask you: to give me some good links aboutwhatto do after a break or what to do if somebody is in the middle of anatack. boot your server up in single user mode enter these commands rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms chmod +x /root/verify-rpms /root/verify-rpms > /root/verify-results
And your attacker has modified the online RPM database to give the new md5sums :). You can trust *nothing* on the cracked system. Check from an offline database. Make sure you have recent tripwire backups, and check those from a good known-to-be-correct database against the current ststus of the systems. Compare md5sums of every file with the ones on a known to be clean system. (Just in case a LKM has been installed which catches open, and misses stat/read or whatever else).
wait for this list to complete if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login, /etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services, /usr/bin/find showing up in this list then it's very likely you have been hacked into you can determine which rpm each of these files came from and reinstall the RPM for them from a secure media (Red Hat 6.2 CDROM) via
Very bad advice. Format, patch and restore the data from backups. Harden, then bring the machine online. You can *never* trust a machine which was once broken into. Devdas Bhagat ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Questions = Thanks Ihsahn Diablo (Nov 21)
- Re: Questions = Thanks Pascal Nobus (Nov 21)
- Re: Questions = Thanks Devdas Bhagat (Nov 22)
- Re: Questions = Thanks Pascal Nobus (Nov 21)