> On Tue, 16 Sep 2003, Simon Matter wrote:
>> No please. There are better solutions than mkfs in most situations. Why
>> being so afraid about kernel modules and rootkit binaries? Boot from a
>> like knoppix or similar. Then mount all filesystems and examine the
>> system. First check whether your rpm database has been touched. A recent
>> backup may help here. Then rpm is your friend by finding out which files
> How do you know that you can trust your rpm binary? How do you know that
> you can trust your rpm database? How do you know that you can trust
> *anything* on the system?
You boot from CD. Then you can use rpm2cpio running from the CD and
extract the rpm package which is installed on the target system. Diff all
the files and you're sure your rpm binaries are okay.
>> have been modified. You can also find out which files have not been
>> installed via rpm so you can check them manually. After identifying the
>> affected files, replace them with clean ones. Finally, diffing the
>> system against backups may improve your confidence.
> How do you know if your backups are compromised as well?
No problem. I identify which files have been modified by the rootkit. Then
I go back in the backups searching for when this file hase been changed.
Now, I know which backup to use.
Of course one has to work carefully when removing a rootkit. If you have a
simple server like a NFS box or similar, you may be faster with the mkfs
method. On very complex boxes, starting from the ground can cost too much
time, at least much more than carefully identifying the compromised parts
of the system and replacing them with clean ones.
>> Now, it's time to fix the hole in your box before you put it into
>> production again!
>> > oh please. if there are peices of rootkit on your box then whether
>> > they installed it or not is IRRELEVANT, your box was compromised,
>> > period.
>> > you cannot know what they did or did not do, your only responsible
>> > recourse is a complete mkfs of all filesystems (i would dd the entire
>> > disk with zeros) and a reinstall, then to audit your latest backup of
>> > user data (do NOT restore ANY binaries).
>> > they could have installed a kernel module which will alter the
>> > behavior of arbitrary tools WITHOUT replacing any binary on your
>> > system, which means tripwire and the most expensive `antivirus'
>> > software will NOT be able to help you. don't think that such a module
>> > will show up in lsmod output either, or that its file is visible to
>> > you on the filesystem.
>> > your box has been compromised, you need to rebuild it.
>> > --
>> > Ethan Benson
>> > http://www.alaska.net/~erbenson/
> Lonni J Friedman netllama@xxxxxxxxxxxxx
> Linux Step-by-step & TyGeMo http://netllama.ipfox.com
Simon Matter Tel: +41 61 695 57 35
Fr.Sauter AG / CIT Fax: +41 61 695 53 30
Im Surinam 55
CH-4016 Basel [mailto:simon.matter@xxxxxxxxxxxxxxxx]