Re: Ramen

[Dave Dittrich <dittrich () CAC WASHINGTON EDU>]

> Matt, generally (well, actually 99.999% of the time), the rule is to
> totally reformat whenever there has been a root level compromise.
> Go to your old backups, restore from there.  Have a stiff drink, for
> that box is history.

My rule #0 is get an image copy before doing your rule #1.
Yes, trying to "clean up" is nearly futile, but properly handling
the incident is important.

> But for future reference, check the file attributes...

One of the main reasons for doing my rule #0 is because you may not
think of this until after you've already re-formatted, at which point
its too late.  There are lots of things you should check, including
file attributes, but you won't remember them all, let alone do them
all, in the three hour time window you might give yourself.

I still suggest spending the extra hour or so to get an image copy
first, which you can then come back to at a later date (even hand
over to law enforcement if AFOSI calls you two years later and asks to
see logs from the system -- this DOES happen.)

> But I wouldn't spend any more time on that box.  It's rooted.
> Restore from backups.  Take a look at Bastille and Tripwire for the
> future!

As a learning experience, there is a lot you can gain from spending
more time analyzing it, provided you have the time and you want to
learn.  Bastille helps prevent future problems, and Tripwire (as long
as you don't get an LKM installed) can help identify future problems,
but you don't get "in the trenches" learning if you never leave
the couch.  (P.S.  Some things that come back from backups you DON'T
want on your system, so even this advice should have its caveats.)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5