Re: Attempt to breakin
From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 12 Jul 2005 23:39:41 GMT
=?ISO-8859-1?Q?=22anto_a=2Ek=2Ea_last_stage_delirium=AE=22?= <firstname.lastname@example.org> writes:
>> I guess the question is how can I make sure that the data on the box
>> that was hacked is bug free before returing it to my customers?
>> Again thanks for everybody's help on this matter
It depends on what preparation you made for this eventuality.
There is clearly no way that you can tell if they altered one of your files
if you know nothing about what the file was supposed to be.
But the standard lore is: backup usr stuff (/home). Make a copy of the
setup info (/etc, /var/spool) Completely wipe the
disk, or the partitions. Reinstall the operating system from scratch (not
update or upgrade but reinstall.) Set up the various things from your
backup of /etc/ and /var/spool.
Then once you have reinstalled, search for suid programs in the stuff you
backed up (eg /home)
find /home -perms +6000 -ls
Make completely sure that all of those files should be suid. Especially if
they are suid or sgid root, be very very very very suspicious.
Reinstall the users (not the system users, just the ordinary users) from
the saved /etc/passwd and /etc/shadow, but again be very suspicious of each
and every user, making sure that they are legitimate users.
Zero out the passwords of all users in /etc/shadow, and have the users redo
their passwords. Assume that the cracker has a list of each and every
password of each user.
Remove all .ssh/ directories from each user's home
directory, and have them all remake them from scratch. Assume that the
cracker has all of the information from them, and that all are
Also assume that each user has been cracked on all computers on which he
uses the same password or on which he uses passwordless login via ssh, and
do the same for each and every one of those computers.
Then hope that you have gotten everything.
>This time it's too late. You can calculate the digest of every program
>with md5sum and anytime you have this kind of doubts check the sums you
>have calculate. Of course you have to do a (simple) script...
>The file with the md5sums must be *only* in your pocket!!!
>Don't forget md5sum kernel!!