On Apr 10, 2005 12:49 PM, T'Krin tkrin@tkrin.net wrote:
On Sat, April 9, 2005 11:04 pm, Phil Brutsche said:
Chris Mauritz wrote:
That is absolutely the way to handle a hacked machine. Unless you've got MD5 fingerprints of each file on the system (a la tripwire), there is no way of knowing where the naughty people may have stashed future surpises for the original poster.
And even then you need to have those fingerprints on RO media and verify them off-line (relative to the machine's normal state) such as from a bootable rescue CD.
If you can aford the time, if you have not already, you need to determine how the hacker gained access, otherwise, when you re-install your OS and applications again, you may well get hacked all over again.
Having Tripwire, etc., may be useful for determining what files were changed, but I'd never rely on a host integrity system to 'recover' a system. Always re-install to have a clean system. You'll be much better off.
Just my 2cents. :)
It is also much more cost-effective to re-install and restore *data* from backup. It will also give you a re-assurance that you didn't miss any backdoors etc.
Re-install + restore data shouldn't take more then 2 hours. Trying to salvage a system, where you can't be certain that you found all the malware, usually takes much longer. So it is better both from a technical point of view and from a business point of view to re-install the machine (tip: have a "rescue" kickstart image for each server - it can save you enormous amount of time in some cases, and it will always be faster then human interaction. And at the same time you can be sure you get all the packages you need every time you do it).
If you don't have a working backup of the data you can copy it from the compromised system, but be careful so you only get *data* and not applications and stuff. This is why backup of data is SO important, but I usually don't waste backup storage on something that can be easily re-installed (so I backup /home/*, /etc/* and so on - but I don't waste time and storage for /bin, /sbin/, /lib, /usr/sbin etc.).
You can ask RPM to tell you which files has been modified since install. This is good for finding out what to backup but don't trust it when it comes to figure out what has been modified in an intrusion. The RPM database is easy to manipulate for an attacker.
Best regards Michael Boman