Security Basics mailing list archives

Re: Linux hacked

From: Barrie Dempster <barrie () reboot-robot net>
Date: Thu, 21 Oct 2004 11:08:37 +0100

On Wed, 2004-10-20 at 11:52 -0500, Nicholson, Dale wrote:

<snip>

Can someone help me with where to get a listing of everything I have
installed and the versions?

`ls /var/db/pkg/*/*/*.ebuild | cut -d/ -f5-6 | less`
 
will list everything you have installed

Also, I need something that can detect root kits etc. on linux.  I've heard
knoppix mentioned as having good tools on this list for an example, but I
wouldn't know what tools to use for this particular case.

chkrootkit - http://www.chkrootkit.org
or
rkhunter - http://freshmeat.net/projects/rkhunter

You will also find chkrootkit on knoppix-STD -
http://www.knoppix-std.org

This is what I tried so far:
I logged in using a boot CD, mounted the hard disks, chrooted in, blanked
out the root password in the /etc/shadow file, changed the root password,
rebooted and tried to log in normally.  This did not work.  I also checked
that the correct users were in both /etc/passwd and /etc/shadow.


Attacker may have modified the login binary, since it's a gentoo box
and the binaries will be self compiled it will be hard to verify this
since I'm under the impression you haven't been performing integrity
checks. I suggest you don't put this install back into production, as since
you are a self confessed novice you will have a hard time cleaning it
out.

Find all the key configuration files and back them up (or use a recent
backup), before a reinstall of the system, then replace everything as
needed. Be sure to verify that the configuration files you restore to
the new install don't have any dodgy modifications, if in doubt re-build
the config from the default config files.

No offence intended but if your admin can't talk you through getting
access to the box again, than maybe you should seek advice from
elsewhere on the running of your machine. Since you have little security
experience yourself getting someone that knows security would be a good
help. Also updating a machine once a week doesn't equate to good
security, if he isn't log monitoring and performing integrity checks,
then you won't know if you are being attacked or not.

Good Luck. :-)

-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Linux hacked Nicholson, Dale (Oct 20)
- Re: Linux hacked Casper the Friendly Ghost (Oct 21)
- Re: Linux hacked Jonathan Loh (Oct 21)
- Message not available
  - Re: Linux hacked xyberpix (Oct 21)
    - RE: Linux hacked Randori (Oct 21)
- Re: Linux hacked Barrie Dempster (Oct 21)
- Re: Linux hacked Miles Stevenson (Oct 21)
  - Re: Linux hacked xyberpix (Oct 25)
- <Possible follow-ups>
- RE: Linux hacked Conlan Adams (Oct 21)
  - RE: Linux hacked mike (Oct 21)
- RE: Linux hacked Matt Arntsen (Oct 21)
  - RE: Linux hacked Jonathan Loh (Oct 22)
  - RE: Linux hacked xyberpix (Oct 25)
- RE: Linux hacked Nicholson, Dale (Oct 25)
  - RE: Linux hacked Leif Ericksen (Oct 25)
  - RE: Linux hacked Randori (Oct 25)

(Thread continues...)