On Sun, Jun 29, 2003 at 04:16:47PM +0200, Thomas Lamy wrote: > > Re-installing from scratch would be a real pain... the server > > runs on a > > 3ware array, and has hundreds of users, all active :-/ > IMHO there's only one save way to go after being hacked: reinstall.
Jason, if you're really determined not to do a reinstall, you can first construct a list of all installed packages, download them from your nearest mirror, and re-install them with dpkg. that will fix up the debian packages but WILL NOT do anything about non-debian binaries that may be on your system...you'll have to find and fix them by hand. overall, this is not a good idea - your script-kiddie may be logged in while you're fixing the machine, silently unfixing it. that said, i have fixed a few (remotely-located) boxes this way, to avoid the travel time & expense of going out to sit at the console to do a complete reinstall. you do need to be very skilled (in security issues, general systems admin, and debian systems admin) before you even consider doing this....definitely NOT recommended for newbies. actually, it's not recommended for anyone at all. if you insist on doing this, some important packages & binaries to reinstall first are netstat, ls, libc6, and procps - i.e. diagnostic tools that you can run to show what processes are running, what files are in a directory, what network connections are open etc. script-kiddies routinely replace these with compromised versions that try to hide SK activity. > > Is there any way to verify the Integrity of the files somehow, and > > download/re-install any binaries that do not match the checksums or > > something? Does dpkg or some other Debian tool have this ability? > > Dunno - rpm has the option of checking md5 sums, but the dpkg manpage isn't > promising in this regard. my dlocate package has an md5 checking facility but a) not all debian packages have md5sum files, and b) debian md5sum files are not signed, so they're easily compromised by any script-kiddie that cares to bother. in short, it's a nice idea but not terribly useful. e.g. # dlocate -md5check net-tools /usr/sbin/arp OK /usr/share/man/man5/ethers.5.gz OK /usr/share/man/man8/arp.8.gz OK /usr/share/man/man8/ifconfig.8.gz OK /usr/share/man/man8/mii-tool.8.gz OK /usr/share/man/man8/nameif.8.gz OK /usr/share/man/man8/netstat.8.gz OK /usr/share/man/man8/plipconfig.8.gz OK /usr/share/man/man8/rarp.8.gz OK /usr/share/man/man8/route.8.gz OK /usr/share/man/man8/slattach.8.gz OK /usr/share/locale/de/LC_MESSAGES/net-tools.mo OK /usr/share/locale/fr/LC_MESSAGES/net-tools.mo OK /usr/share/locale/pt_BR/LC_MESSAGES/net-tools.mo OK /usr/share/locale/et_EE/LC_MESSAGES/net-tools.mo OK /usr/share/locale/cs/LC_MESSAGES/net-tools.mo OK /usr/share/doc/net-tools/README OK /usr/share/doc/net-tools/README.ipv6 OK /usr/share/doc/net-tools/TODO OK /usr/share/doc/net-tools/copyright OK /usr/share/doc/net-tools/changelog.Debian.gz OK /sbin/ifconfig OK /sbin/nameif OK /sbin/plipconfig OK /sbin/rarp OK /sbin/route OK /sbin/slattach OK /sbin/ipmaddr OK /sbin/iptunnel OK /sbin/mii-tool OK /bin/netstat OK craig
