[vox-tech] lugod.org cracked?

[Rick Moen]

Quoting ME (dugan at passwall.com):

> You will want to down the box and run some integrity checking scripts to
> verify the applications installed are from the packages you have
> installed.

Rod is certainly qualified to choose his own poison, but this is what I
did:

o  Bring down system.  Secure best copy of data files and reference 
   snapshot of /etc.  Double-check that inventories of installed packages, 
   installed-package versions, and "fdisk -l /dev/sd?" output are
   correct and useful.
o  Blow away contents of all hard drives.
o  Recreate minimal system using trusted installation media.  Study
   and adjust security policy.
o  Build up installed packages, as desired.
o  Adjust /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow to add
   back users, but with their access disabled.
o  Copy back user data, except without dotfiles or ~/bin contents.
o  Copy back system data files (e.g., /var/www, /var/mail, /var/news).
o  Recreate system services, with visual reference to prior /etc
   contents, but without reusing any of those files.  (Like all prior
   libs and executables, they are presumed compromised and cannot be
   trusted.)  Regenerate SSH host keys.
o  Re-enable user access, and arrange for their new access without
   honouring any prior security tokens, via out-of-band communication.

I would not recommend to anyone, at any time, that a root-compromised
system merely be "checked" and left running without a rebuild as above.  
That is nothing like a suitable or adequate remedy, in my view.

> Is lugod.org running an file integrity checker?

Some of my thoughts, on that:
http://linuxgazette.net/issue98/moen.html