hi bas
On Mon, 25 Aug 2003, Bas Benschop wrote:
> Hello,
>
> This weekend several systems at our site were hacked. In /var/spool/.test/
> several programs were installed, log, pscan, x and xscan.
do you mind saying which "versions" they broke into
do you mind saying how you think they got in ??
> Also some system utilities were replaced with older versions. Is it
> possible to check the versions of programs and compare them with the
> versions in the package database?
unless you were running tripwire, aide, and other filesystem checker,
it'd be a lot of work to check the integrety
do you have other identical systems to check against ??
easiest way:
new box# rebuild a new deb box from scratch
-- put in a new disk is best way ... and start to build
a new debian install
hacked box# dpkg --get-selections > /mnt/floppy/installed.list
new box# dpkg --set-selections < /mnt/floppy/installed.select
new box# ls -laR /bin /sbin /lib /usr/sbin /usr/bin
/usr/local/bin /usr/local/sbin /usr/local/lib
.. other stuff you wanna check ..
you can do all the md5sum stuff too but too much work
and a lot slower
compare the results with a clean "diff" on the new box and the
hacked box and reinstall the affected packages
- check the libraries
- check the /sbin /usr/sbin binaries
- check the /bin /usr/bin binaries
- check /usr/local
- endless and daily checking ..
hacked box# apt-get dist upgrade
hacked box# apt-get update
hacked box# apt-get upgrade
- burn a cdrom of a brand-new disk before it goes live on the net
so that oyu always have a basis to compare against
- gazillion ways to "verify" the systems
c ya
alvin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
