Re: possible rooted systems

[Mailing Lists <itmaillist () gmail com>]

Hello,

My comment wasn't meant to be the only step in correcting the problem,
I was adding to the comment above mine (and other suggestions to come
about closing  holes).  Once the problems are discovered and holes are
found and closed, re-imaging would still be necessary since more
likely than not the problem has allot to do with malware, and even
when holes are closed in the network the computer would likely still
find away to be a nuisance and a security risk on the network.  .

Read only Master copies is surely necessary but not always convenient
when fixing multiple machines.  Using MD5 Check sums on the images
would allow you to use it the USB drive the way I suggested and
provide the security needed to ensure the images were not modified.

Either way, close up the hole in the network.  Begin cleaning up PC's
however you need.  As a previous poster mentioned considered upgrading
the 98 machines, and wherever  possible implement host hardening.



On Fri, 29 Oct 2004 15:06:48 -0700 (PDT), Alvin Oga
<alvin.sec () virtual linux-consulting com> wrote:
> hi ya
>
> > Not to be a stickler for details and hopefully you are already
> > planning this, but the infected machines should be re-imaged, not
> > fixed.  Other wise you leave yourself open to missing backdoors and
>
> re=imaging will NOT solve the problem, since the attacker cna
> come back in using the same exploit that they already know worked
> on your box
>         - you have to fix the hole that they used to get in
>         ===================================================
>                 next time they are very likely to do an "rm -rf /"
>                 and hopefully you don't use automount in an unsafe way
>
> a better approach ...
>         --
>         == backup all your data (not system) to a new disk on a  new machine
>         -- leave your old backups intact forever ..
>         --
>
>         - find out how they got in
>         - find out when they got in
>         - find out who they are
>         - find out what machines they came from and get the other hack'd
>           machine owner and isp's help to "get the attacker"
>         - find out what commands they typed
>         - find out what other machines they tried to attack/connect to
>         - find out what files they modified
>         - contact the local police dept and FBI ( if over $15K? in damages )
>
>         - hire somebody to do all that for you
>
>
> > An easy solution that I use is to have a USB Drive arround that has
> > all the images I need on it.  When a machnie hiccups, I can back it up
> > to the USB Drive using a ghost boot disk with dos USB drivers, and
> > than plant a new image over the top.
>
> the "master image" should be cdrom or non-writeable device
> since you are pluygging your "master image" into a hacked box
> and by your own definition, you dont know that your usb disk is safe after that
> ( unknown back door, unknown virus, etc.. etc.. )
>
> c ya
> alvin