By the way:
Can dpkg check the files in my filesystem against the version which is in the packages
database? So i can verify if the binary was modified. Then the only thing i need is a
signing of the dep-packages and the database itself (perhaps with an external key).
Is something like this possible or is it planned?
Oliver
> -----Original Message-----
> From: Lukas Eppler [mailto:[EMAIL PROTECTED]]
> Sent: Donnerstag, 12. Juli 2001 10:36
> To: Alvin Oga; kath
> Cc: [EMAIL PROTECTED]
> Subject: Re: was I cracked? (rpc.statd, new version)
>
>
> Thank you all for the hints.
> I think I will install tripwire for the future. I didn't have
> it up to now,
> so for the moment it does not tell me much. The hacked
> machine is the only
> one with 2.2 I control, so checking the binaries would
> involve unpacking debs
> by hand, I guess. I have looked at creation times and setuid
> flags, and I
> have run a portscan from outside and haven't found anything unusual.
> So as Ethan said, I think I survived...
>
> I have tried the exploit myself from outside on my machine.
> It produced a
> similar entry in the logs, the script reported to have
> 'failed', and my shy
> test command (touch /blah) was not executed. This seems
> evidence to me that
> it was actually the old rpc.statd hole he/she tried to crack,
> and I know my
> version is safe (not because my own attack failed, but
> because debian says
> so).
> I will
> - install tripwire to observe more
> - remove nfs-common (the machine is a fresh install, I
> couldn't go over all
> the services yet)
>
> Thank you for your help
>
> Lukas
>
> On Thursday, 12. July 2001 03.55, Alvin Oga wrote:
> > i like a simple/stupid solution
> > tar zcvf /safe_place_off_line/original_binaries.tgz \
> > /bin /lib /sbin/usr/{bin,sbin,lib} /etc
> >
> > ( its a quickie test... to compare the current binaries
> > ( against what was the original
> >
> > if you still not sure... that they ADDED some of their own
> > apps .... than run tripwire.... and wait and wait..
> > but than you'd have an answer if you have a good tripwire db going
> >
> > dozen different ways to identify if they got in and what they
> > changed... choose your preferred way...
> >
> > c ua
> > alvin
> >
> > On Wed, 11 Jul 2001, kath wrote:
> > > You can check for modified binaries with tripwire.
> > >
> > > If this was a decent hacker or even a script kiddie using
> a good tool,
> > > they probably would have purged your logs of all evidence.
> > >
> > > So either:
> > >
> > > a) They are second rate
> > > or
> > > b) They didn't get in
>
> --
> Tempobrain AG - Dufourstrasse 179 - 8008 Zürich
> http://www.tempobrain.com | icq # 5856 2285
> +44 20 7233 6206 | +44 79 8037 7312
> +41 1 389 29 29 | +41 76 373 07 87
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
