On Sun, 29 Jun 2003 23:47, Jason Lim wrote: > Re-installing from scratch would be a real pain... the server runs on a > 3ware array, and has hundreds of users, all active :-/ > > Is there any way to verify the Integrity of the files somehow, and > download/re-install any binaries that do not match the checksums or > something? Does dpkg or some other Debian tool have this ability?
"dpkg --get-selections" will give you a list of installed packages. The thing to do is to boot from a CD-ROM to do all the work (otherwise you are using potentially trojaned executables), and resist the temptation to chroot to the hacked FS. You can then backup /etc (make sure you don't preserve any SETUID binaries and check all the security related files for correct contents) and blow away the root fs. Then you can do a Debian install and use dpkg --set-selections to install the right packages. > If just a list of packages could be shown that do not match what is > actually on the disk, those could be re-downloaded and re-installed, so at > least the system can start working (right now, just typing "gcc" produces > garbage on the screen, no doubt because some libraries have been > replaced). Not all packages support this. > Is there any tool that could search the system for root suid scripts (so > the hacker can login again and gain root easily)? find allows this. Make sure you change all passwords. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
