You should *always* wipe and reload after being rooted, or alternatively run a full comparison of the system with a trusted source. A rootkit may not change much itself but the attacker who used the rootkit can change anything, add trojans, compromise other system areas, leave backdoors, create accounts, hide data, etc. All of these things are dependent on the skill and motivation of the attacker. If a system has been compromised, it is impossible to ever fully "trust" that system again unless it has been completely restored from known good, trusted sources or every system file has been compared to a known trustable version. Simply eliminating the rootkit *may* eliminate your immediate problem, but you can never be absolutely positive that the system does not remain compromised in some more subtle way. What to do after being compromised (IMO) (YMMV): Remove system from network. DO NOT RECONNECT SYSTEM UNTIL IT IS COMPLETELY REBUILT. Use floppy disks or CDs to move files to and from system during rebuild process. Never copy anything over the network until system is fully rebuilt and all patches, security fixes, etc have been applied. Make complete backup of all system files, drives, etc. for analysis of the attack. If system can be analyzed as is (in other words, you don't need the system back up ASAP), do analysis there. Otherwise restore backups to another box and analyze. Reformat every partition on the machine. Utterly wipe out all files, executables, data, etc. If you have data you need to recover/restore, do it from backups, and ONLY EVER RESTORE DATA from a box that has been compromised. Ensure that before you move on, the box is totally lobotomized- even "data-only" partitions should (must) be wiped and recreated. Reinstall your OS of choice from *known good* sources. Or a backup of the system made prior to the compromise is another option. The best option would be a reinstallation of the operating system followed by a restoration of data only from a backup made prior to the compromise of the system. Harden your operating system and network environment as appropriate. Remember to learn the lesson you were taught by having been rooted before. Plug any and all holes known in your system, and ensure your environment protects as much as possible against future attacks. Restore any data (html files, etc) to the box that is necessary for operation. Only restore data- never, ever restore from a compromised system any binary, script, or anything else that can be executed or contains instructions. Such items on a compromised system must forevermore be treated as suspect. Custom scripts, etc should be inspected carefully, assuming that no "trusted" source is available (a script you wrote, for example, that you have no recent backup for). Before connecting to the network again, make sure that any and all passwords on the system are changed. Some rootkits archive and/or reveal passwords, so if you continue to use the same passwords, the attacker no longer even needs the rootkit or any backdoors- the front door is wide open. This may seem extreme, but if you want to ever trust the system again, you really should do more than just plug the hole created by the rootkit. There's really no way of knowing how much damage the attacker has done since the rootkit went in. In my opinion, a compromised system must always be treated as suspect until it has been totally rebuilt. Draconian, to be sure. Others may have differing opinions on the subject, and you should listen to them as well. :) Another way to recover from a system compromise is to make a file-by-file comparison of all the files on the system with a trusted archive. This is very painstaking, but effective, if done properly. Tools exist to help with this process, but unless you know already exactly how big and what checksums every operating system file has, you may be out of luck. You might also read some of the following. http://www.cert.org/archive/pdf/external-incidents.pdf http://www.cert.org/security-improvement/practices/p051.html http://online.securityfocus.com/infocus/1184 Regards, Corey Snow > -----Original Message----- > From: Gideon Lenkey [mailto:glenkey@infotech-nj.com] > Sent: Wednesday, February 20, 2002 8:41 PM > To: Bryan Andersen > Cc: Vladimir Ivaschenko; incidentsat_private > Subject: Re: strange telnet behavior > > > On Tue, 19 Feb 2002, Bryan Andersen wrote: > > /* Make a backup. wipe and reload. Then restore your data only. > /* It has been rooted. Telnet should not be doing that at all. > > You really don't have to wipe and reload to recover from this > root kit. > It really doesn't change much. See the instructions in the archive: > > http://online.securityfocus.com/archive/75/249597 > > --Gideon > > * Gideon J. Lenkey, CISSP * PGP Key ID 0x92556BEC * > * InfoTech Associates, Inc. * pgp.mit.edu * > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 11:44:33 PST