Re: Questions = Thanks

[Devdas Bhagat <devdas () worldgatein net>]

On 22/11/01 00:18 +0100, Pascal Nobus wrote:
> ----- Original Message -----
> From: "Ihsahn Diablo" <traktopika () hotmail com>
>
> >   So i have one more thing to ask you: to give me some good links about
> what
> > to do after a break or what to do if somebody is in the middle of an
> atack.
>
> boot your server up in single user mode
> enter these commands
> rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms
> chmod +x /root/verify-rpms
> /root/verify-rpms > /root/verify-results
And your attacker has modified the online RPM database to give the new
md5sums :).
You can trust *nothing* on the cracked system. Check from an offline
database. Make sure you have recent tripwire backups, and check those
from a good known-to-be-correct database against the current ststus of
the systems. Compare md5sums of every file with the ones on  a known to
be clean system. (Just in case a LKM has been installed which catches
open, and misses stat/read or whatever else).

> wait for this list to complete
>
> if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login,
> /etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services,
> /usr/bin/find
> showing up in this list then it's very likely you have been hacked into
>
> you can determine which rpm each of these files came from and reinstall
> the RPM for them from a secure media (Red Hat 6.2 CDROM) via
Very bad advice. Format, patch and restore the data from backups.
Harden, then bring the machine online.
You can *never* trust a machine which was once broken into.

Devdas Bhagat

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com