Hello Alexander,
On 2/8/12 09:53 , v...@lab127.karelia.ru wrote:
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.
Checking `ifconfig'... INFECTED
I was wondering if we're not losing perspective of what is realistic in
a certain situation, especially
On Thu, 9 Feb 2012, Jason Fergus wrote:
> Out of curiosity, couldn't one technically boot up a liveCD, mount the
> drive(s) and then download the .debs individually, then extract them
> over the mounted partitions, effectively copying over all of the
> binaries.
There is the possibility of SUID b
On Wed, 2012-02-08 at 18:16 -0600, Mike Mestnik wrote:
> On 02/08/12 18:07, Russell Coker wrote:
> > On Thu, 9 Feb 2012, Stephen Hemminger wrote:
> >> The advice I heard is trust nothing (even reflash the BIOS).
> > Do you know of any real-world exploits that involve replacing the BIOS?
> > It's
On Thu, Feb 09, 2012 at 11:07:20AM +1100, Russell Coker wrote:
>On Thu, 9 Feb 2012, Stephen Hemminger wrote:
>>The advice I heard is trust nothing (even reflash the BIOS).
>
>Do you know of any real-world exploits that involve replacing the BIOS? It's
>been theoretically possible for a long time
On 02/08/12 18:07, Russell Coker wrote:
> On Thu, 9 Feb 2012, Stephen Hemminger wrote:
>> The advice I heard is trust nothing (even reflash the BIOS).
> Do you know of any real-world exploits that involve replacing the BIOS? It's
> been theoretically possible for a long time but I haven't seen a
On Thu, 9 Feb 2012, Stephen Hemminger wrote:
> The advice I heard is trust nothing (even reflash the BIOS).
Do you know of any real-world exploits that involve replacing the BIOS? It's
been theoretically possible for a long time but I haven't seen any references
to it being done.
Also one thi
On 02/08/12 02:41, Laurentiu Pancescu wrote:
> On 2/8/12 09:53 , v...@lab127.karelia.ru wrote:
>> Today I found next things at squeeze. Please help to fix, I've no
>> experience in such tasks.
>
> As Fabian already mentioned, you cannot know what an attacker changed
> in the system (especially now
On Wed, 08 Feb 2012 22:56:16 +
Chris Davies wrote:
> Milan P. Stanic wrote:
> > What about statically linked binaries on the external media (CD, DVD,
> > USB ...) which is write protected with 'execute in place' mode?
>
> You can no longer trust the kernel. Therefore you cannot trust
> ANY
Milan P. Stanic wrote:
> What about statically linked binaries on the external media (CD, DVD,
> USB ...) which is write protected with 'execute in place' mode?
You can no longer trust the kernel. Therefore you cannot trust
ANY application that runs under that kernel, either directly or
indirectl
On Wed, 2012-02-08 at 19:39, Michael Stummvoll wrote:
> Am 08.02.12 18:46, schrieb Fernando Mercês:
> > Reading memory after turning off? There are a easy way to it?
> >
> > When I said "your own binaries", I mean "get fresh copies of
> > binaries and use in system with a USB stick or something li
Michael,
I think you're talking about syscall interceptions and related stuff.
You're right, we can't trust, but it in this case we're talking about
a very specialized malware and I don't see any fast action to bypass
it. Maybe the conclusion is that we can't trust anything, so we can't
do anythin
Am 08.02.12 19:51, schrieb Jutta Zalud:
> Michael Stummvoll wrote:
>
>> And who says, that the new binarys don't work in "compromized
>> mode", e.g. with a LD_PRELOAD? ;)
>
>> you can't trust a compromized system, not even when you running
>> (or think you are running) own binaries. Who knows, wh
Michael Stummvoll wrote:
> And who says, that the new binarys don't work in "compromized mode",
> e.g. with a LD_PRELOAD? ;)
> you can't trust a compromized system, not even when you running (or
> think you are running) own binaries. Who knows, what the kernel does.
What exactly do you mean by "
Am 08.02.12 18:46, schrieb Fernando Mercês:
> Reading memory after turning off? There are a easy way to it?
>
> When I said "your own binaries", I mean "get fresh copies of
> binaries and use in system with a USB stick or something like that.
> Do not use the compromised system binaries". That's i
Reading memory after turning off? There are a easy way to it?
When I said "your own binaries", I mean "get fresh copies of binaries
and use in system with a USB stick or something like that. Do not use
the compromised system binaries". That's it. ;-)
BR,
Fernando Mercês
Linux Registered User #43
On 08.02.2012 17:03, Fernando Mercês wrote:
> Humm... you're all right, dumping before reboot is much better.
>
> Another tip: dump with your own dd/rsync binary copies. Remember: you
> cannot trust this system.
>
> You can also capture some network traffic and general volatile data
> (memory) befo
Humm... you're all right, dumping before reboot is much better.
Another tip: dump with your own dd/rsync binary copies. Remember: you
cannot trust this system.
You can also capture some network traffic and general volatile data
(memory) before reboot.
BR,
Fernando Mercês
Linux Registered User #
But, the most important: think before you act. If you wipe and reinstall
the system, it could be as vulnerable as it was, so it may be rooted
before you have it fully up again. Consider the following:
- Cut network connection. Having the system off-line you can investigate
the situation undist
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I would rather (if it's ok for the server do be down for a while) unplug
the internet cable and dd (and/or rsync) all the partitions before
rebooting.
A lot of information (including swap) is lost during reboot...
Best,
Leonor Palmeira.
On 08/02/12 1
I recommend you boot with some live CD system and make a dump of each
partition, including swap, with dd. So you can analyze it after wipe
your system.
This analysis will help you to discover how attacker have gained root
access, protect your actual system and feed community with real case
informa
On Wed, Feb 08, 2012 at 11:53:14AM +0300, v...@lab127.karelia.ru wrote:
> Today I found next things at squeeze. Please help to fix, I've no
> experience in such tasks.
>
> # chkrootkit
> ROOTDIR is `/'
> Checking `ifconfig'... INFECTED
> Checking `netstat'...
On 2/8/12 09:53 , v...@lab127.karelia.ru wrote:
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.
As Fabian already mentioned, you cannot know what an attacker changed in
the system (especially now that chkrootkit found a rootkit), therefore
you canno
"v...@lab127.karelia.ru" wrote:
> Today I found next things at squeeze. Please help to fix, I've no
> experience in such tasks.
Reinstall. You cannot trust a machine that had been rooted.
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Tro
23 matches
Mail list logo
