Re: Anyone got hacked lately (or why to re-install after beingcracked)

[Aaron Turner <aturner linuxkb org>]

Jim,

Just so you and everyone else knows, be aware that there is at least one
report of a cracker tricking tripwire by loading a kernel module.  The
basic premise is that the module redirected syscalls for changed files
to backed-up copies hiding elsewhere.

The result was that tripwire and manual analysis showed the files
unchanged, but when the file was actually ran, it was a trojan.

Hence, once you've been hacked, the *only* sure way to recover is to
backup your datafiles, and reinstall from CDROM.  Do not restore the OS
from tape, because you don't know when you were cracked, so you don't know
how far back to go in your tapes.

For more details about the crack I'm talking about see:
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id=32

and scroll down to the section labeled "Third Week".

--
Aaron Turner, Core Developer       http://vodka.linuxkb.org/~aturner/
Linux Knowledge Base Organization  http://linuxkb.org/
Because world domination requires quality open documentation.

On Tue, 7 Sep 1999, Jim Gallagher wrote:

> >   ------------------------------------------------------------------------
> >
> > Subject: Re: Anyone got hacked lately
> > Date: Tue, 07 Sep 1999 08:53:10 +0200
> > From: Igmar Palsenberg <palsenberg tebenet nl>
> > To: redhat-list redhat com
> >
> > I made the discission to go check the system on Friday. In locked the
> > /etc/passwd and /etc/shadow file, so they can't be modified.
> >
> > Is there a REAL good way to make sure that RPM's, the RPM database, etc
> > aren't modified ?? I have the CD at hand.
> >
> > No real idea how to checkt it, so maybe you can give me some advice on
> > how to compare a system with the RPMS's on the CD without using the
> > binaries on that system.
> >
> >
> >
> >                 Thanks,
> >
> >                         Igmar
> >
> 
> There is a utility called Tripwire that is very handy for this type of thing,
> although it doesn't work as you describe. It does multiple checksums using
> different algorithms of each file or directory tree you configure it to. Then,
> when you want to validate your configuration, you rerun it and it prints a
> listing of all files that were checked and have changed since the initial
> checksum was calculated. The idea is that the initial set of checksums can
> be kept off-line or on another machine. That way, they cannot be updated
> by your cracker :-)
> 
> Tripwire is a commercial product, but I believe it's free for
> evaluation/non-comercial use.
> 
> Also, once a knowledgeable cracker has hacked your system, there are MANY
> devious ways for them regain access to the machine, some of them close to
> impossible to detect from a shell. Tripwire, run when booted from a boot floppy,
> (no modules or binaries loaded from the harddrive) is the only way I know to
> be sure that your system really hasn't been hacked.
> 
> Jim Gallagher
> 
> 
> -- 
> To unsubscribe: mail redhat-list-request redhat com with "unsubscribe"
> as the Subject.
>