On 22/11/01 00:18 +0100, Pascal Nobus wrote: > ----- Original Message ----- > From: "Ihsahn Diablo" <traktopikaat_private> > > > So i have one more thing to ask you: to give me some good links about > what > > to do after a break or what to do if somebody is in the middle of an > atack. > > boot your server up in single user mode > enter these commands > rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms > chmod +x /root/verify-rpms > /root/verify-rpms > /root/verify-results And your attacker has modified the online RPM database to give the new md5sums :). You can trust *nothing* on the cracked system. Check from an offline database. Make sure you have recent tripwire backups, and check those from a good known-to-be-correct database against the current ststus of the systems. Compare md5sums of every file with the ones on a known to be clean system. (Just in case a LKM has been installed which catches open, and misses stat/read or whatever else). > wait for this list to complete > > if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login, > /etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services, > /usr/bin/find > showing up in this list then it's very likely you have been hacked into > > you can determine which rpm each of these files came from and reinstall > the RPM for them from a secure media (Red Hat 6.2 CDROM) via Very bad advice. Format, patch and restore the data from backups. Harden, then bring the machine online. You can *never* trust a machine which was once broken into. Devdas Bhagat ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 22 2001 - 08:28:30 PST