Full Disclosure mailing list archives
Re: Removing ShKit Root Kit
From: Alexander Schreiber <als () thangorodrim de>
Date: Mon, 22 Dec 2003 23:16:02 +0100
On Mon, Dec 22, 2003 at 01:52:57PM -0600, Schmehl, Paul L wrote:
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Alexander Schreiber Sent: Monday, December 22, 2003 12:24 AM To: Chris Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Removing ShKit Root Kit There is exactly one way to properly clean up a rooted box: backup the system (for later analysis and for keeping any data that might be needed), wipe the disks and reinstall from known clean install media, update the system to get all current security updates und properly secure the box.This advice is common, and it's always mystified me. Why would you want backups of the "data"? If the box is compromised, you can't trust *anything* on it, can you? How can you know for certain that "data" isn't a cleverly concealed backdoor? I can understand backing up the disk for offline analysis, but I would think you'd want to restore your data from known good copies, wouldn't you? And if you don't have known good data backups, well, then consider it a lesson learned and do it right the next time.
Keeping a backup of the data of the compromised box can be useful for several purposes: - Offline analysis: how did cracker get into the box and what did he do, once he owned it? - What data was on the box (unless deleted by the cracker) and must therefore considered compromised? - Maybe it needs to be kept as evidence (but then better follow proper forensic data duplication procedures). - If you don't have current backups of the data and the data was worth keeping (most likely true) slap yourself silly with a wet towel because you (or your management) have been stupid. Try to recover the data from the box, but consider all of it well and truly mangled, after all, if your secret source code was on this box, the cracker might as well have hidden a nasty backdoor in there ... Of course, restoring the data from known good backups is always better. If you have proper backups, don't care for the analysis and just want to have the machine back working, then just wipe, reinstall, secure, restore and be done with it. Regards, Alex. -- "Opportunity is missed by most people because it is dressed in overalls and looks like work." -- Thomas A. Edison _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Removing ShKit Root Kit, (continued)
- Message not available
- Re: Removing ShKit Root Kit Gino Thomas (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Nathan Bates (Dec 23)
- Re: Removing ShKit Root Kit Larry W. Cashdollar (Dec 22)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 22)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 22)
- Re: Removing ShKit Root Kit Ron DuFresne (Dec 22)
- Re: Removing ShKit Root Kit Jason (Dec 22)
- Re: Removing ShKit Root Kit Cael Abal (Dec 23)
- Re: Removing ShKit Root Kit Brian Eckman (Dec 23)
- Re: Removing ShKit Root Kit Gregory A. Gilliss (Dec 23)
- Re: Removing ShKit Root Kit Jason (Dec 23)