On Tue, 16 Sep 2003, Simon Matter wrote:
> No please. There are better solutions than mkfs in most situations. Why
> being so afraid about kernel modules and rootkit binaries? Boot from a CD
> like knoppix or similar. Then mount all filesystems and examine the
> system. First check whether your rpm database has been touched. A recent
> backup may help here. Then rpm is your friend by finding out which files
How do you know that you can trust your rpm binary? How do you know that
you can trust your rpm database? How do you know that you can trust
*anything* on the system?
> have been modified. You can also find out which files have not been
> installed via rpm so you can check them manually. After identifying the
> affected files, replace them with clean ones. Finally, diffing the entire
> system against backups may improve your confidence.
How do you know if your backups are compromised as well?
> Now, it's time to fix the hole in your box before you put it into
> production again!
> > oh please. if there are peices of rootkit on your box then whether
> > they installed it or not is IRRELEVANT, your box was compromised,
> > period.
> > you cannot know what they did or did not do, your only responsible
> > recourse is a complete mkfs of all filesystems (i would dd the entire
> > disk with zeros) and a reinstall, then to audit your latest backup of
> > user data (do NOT restore ANY binaries).
> > they could have installed a kernel module which will alter the
> > behavior of arbitrary tools WITHOUT replacing any binary on your
> > system, which means tripwire and the most expensive `antivirus'
> > software will NOT be able to help you. don't think that such a module
> > will show up in lsmod output either, or that its file is visible to
> > you on the filesystem.
> > your box has been compromised, you need to rebuild it.
> > --
> > Ethan Benson
> > http://www.alaska.net/~erbenson/
Lonni J Friedman netllama@xxxxxxxxxxxxx
Linux Step-by-step & TyGeMo http://netllama.ipfox.com