[vox-tech] lugod.org cracked?
ME
dugan at passwall.com
Tue Feb 15 16:25:24 PST 2005
Rick Moen said:
> Quoting ME (dugan at passwall.com):
>
>> You will want to down the box and run some integrity checking scripts to
>> verify the applications installed are from the packages you have
>> installed.
>
> Rod is certainly qualified to choose his own poison, but this is what I
> did:
[chop]
> I would not recommend to anyone, at any time, that a root-compromised
> system merely be "checked" and left running without a rebuild as above.
> That is nothing like a suitable or adequate remedy, in my view.
Rick brings up a good point here. This is a good practice and for root
compromises, it is often the only supportable solution. (Once root, always
root.)
The purpose of checking integrity of packages and installed binaries is to
help determine if a break-in lead to priv-escalation, but is very limited;
It is one of those things that a positive determination of critical files
being altered in a malicious way will help you to understand what account
may have been compromised *but* lack of finding any problems does not mean
there was no priv-escalation. Like integrity checkers... they are designed
to let you know when something is wrong, but just because they don't tell
you something is wrong does not mean there is nothing wrong.
Another thing I forgot to mention, which I should have mentioned first...
(I just assumed Rod was looking to get the system back up quickly, and
this is a good place to include more signal (like you did) for another
good thread on vox-tech...)
When you discover a breakin, you must decide what your first goal is:
1) Prosecution ?
2) Minimize Down Time ?
3) Diagnosis and resolution ?
Weitese Venema and Dan Farmer gave a nice presentation on this and how
each choice excludes the other two.
If you Decide to prosecute, your first consern is chain of evidence and
not tampering with any of the files. This can mean prolonged outages, and
also precludes you from investigation of the drive "as-is." Then you must
document who has contact with what and when and start tagging things and
gather information outside the system before contacting your favorite LEO.
Even shutting down the system may cause critial evidence to be lost, but
evertyhing must be documented.
If you decide to minimize downtimes then you can just patch-and-go
(something that Rick warns about above, and I tend to agree) restore and
go, or rebuild & clean import, and then re-start. However, this means you
can't inspect that system if you clobber that system in the re-install. It
also makes your evidence go away.
Diagnosis and resolution is what Rod is doing right now:
Shut down critical services, Tear apart the system, examine points of
entry, understand method of entry, reasons for comrpomise, extent of
compromise, find a path for resolution, implement it. Of course, this
means destructon of evidence, and once you power down the machine, andy
processes are gone and can't be inspected. It also means you spend time
with diagnosis instead of minimizing down-time. However, without a full
re-install there is no guarantee that the system was not rooted, only no
evidence that it was rooted.
There is more to these than what I printed, but I found that presentation
rather nice.
>> Is lugod.org running an file integrity checker?
>
> Some of my thoughts, on that:
> http://linuxgazette.net/issue98/moen.html
I came across this one and another article you had that provided links to
a variety of integrity checking apps. Pretty good information there. I
think we found one on your site too, and found that to be useful too.
More information about the vox-tech
mailing list