try checking out www.grsecurity.net. It's a collection of patches and a
very excellent ACL system written by a friend of mine. It also
incorperates the OpenWall / pax patches among other things.
- Josh Reynolds
On Sat, 9 Feb 2002, Jeff Bonner wrote:
> > -----Original Message-----
> > From: Henrique de Moraes Holschuh [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, February 09, 2002 12:40 PM
> > To: Tina Embrey [mailto:[EMAIL PROTECTED]]
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: HELP I've been cracked
>
> > > My Debian 2.2 Potato and Woody Servers have been attacked
> > > by a cracker who has installed a 'root kit' and broke ps
> > > and several other core components of the OS. [...]
> >
> > > Is there any way to fix the broken apps, and get the system
> > > secured again ?
> >
> > None that are worth the risk. A full reinstall is the only
> > alternative we could recommend in good faith. Everything else
> > is not 100% guaranteed.
>
> I must second this comment. Frankly, there is no practical way to be
> certain of what has been compromised, thus the entire system is suspect.
> This may apply despite something like Tripwire being used, because it
> could be foiled by a particularly skilled blackhat (or poor
> installation). I know it probably isn't the answer you were hoping for,
> but I think most everyone would agree it's the best solution.
>
> There ARE some tools for detecting certain rootkits, but I mention this
> only because it could be educational for you to learn how they broke in
> and fooled around. One of these will find commonly-installed items that
> skript kiddies might use:
>
> $ apt-cache show chkrootkit
>
> You should NOT rely on this as your only means of intrusion detection,
> however. I would also discourage you from repairing the system based on
> the results you find with chkrootkit, because it may not be accurate,
> and/or there may be additional tampering elsewhere that it doesn't find.
>
> One of the things I did with my firewall was compile all the needed
> modules into the kernel, so that no additional modules can be loaded --
> which is one way a hacker can install things. You might look into this,
> or perhaps use "LIDS", the Linux Intrusion Detection system. It's a
> kernel-based hardening program (for lack of a more concise term):
>
> $ apt-cache show lids-2.2.19
> and
> http://www.lids.org
>
> > Please look for the security Debian howto at:
> > http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html
>
> An excellent security reference, with concepts that are good practice
> for all Linux boxen.
>
> Other suggested reading (not Debian-centric):
>
> http://staff.washington.edu/dittrich/R870/reacting.html
> http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq
> http://www.enteract.com/~lspitz/linux.html
> http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
>
> Last but not least, once you have secured your machine as best you can,
> run a variety of security tools against it, such as Nessus, raccess,
> nmap and so forth. You might find additional holes that can be plugged.
>
> Hope that helps,
>
> Jeff Bonner
>
>
>
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
