Re: Questions = Thanks

From: Devdas Bhagat (devdas@worldgatein.net)
Date: 11/22/01

• Previous message: Rob Keown: "RE: MSLV.exe"
• In reply to: Pascal Nobus: "Re: Questions = Thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 22 Nov 2001 11:47:06 +0530
From: Devdas Bhagat <devdas@worldgatein.net>
To: Pascal Nobus <pascal@nobus.be>
Subject: Re: Questions = Thanks
Message-ID: <20011122114706.F14875@file.print.server>

On 22/11/01 00:18 +0100, Pascal Nobus wrote:
> ----- Original Message -----
> From: "Ihsahn Diablo" <traktopika@hotmail.com>
>
> > So i have one more thing to ask you: to give me some good links about
> what
> > to do after a break or what to do if somebody is in the middle of an
> atack.
>
> boot your server up in single user mode
> enter these commands
> rpm -qa|sed "s/^/rpm --verify /g" > /root/verify-rpms
> chmod +x /root/verify-rpms
> /root/verify-rpms > /root/verify-results
And your attacker has modified the online RPM database to give the new
md5sums :).
You can trust *nothing* on the cracked system. Check from an offline
database. Make sure you have recent tripwire backups, and check those
from a good known-to-be-correct database against the current ststus of
the systems. Compare md5sums of every file with the ones on a known to
be clean system. (Just in case a LKM has been installed which catches
open, and misses stat/read or whatever else).

> wait for this list to complete
>
> if you see files like /bin/ls, /bin/ps, /bin/login, /etc/pam.d/login,
> /etc/pam.d/passwd, /etc/rc.d/rc.sysinit, /dev/*, /etc/services,
> /usr/bin/find
> showing up in this list then it's very likely you have been hacked into
>
> you can determine which rpm each of these files came from and reinstall
> the RPM for them from a secure media (Red Hat 6.2 CDROM) via
Very bad advice. Format, patch and restore the data from backups.
Harden, then bring the machine online.
You can *never* trust a machine which was once broken into.

Devdas Bhagat

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Rob Keown: "RE: MSLV.exe"
• In reply to: Pascal Nobus: "Re: Questions = Thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Is there any way to force a yum install/update? ... This is the best way to install packages that are not yet in the ... repositories - get or make a binary rpm (from source rpm or maybe from ... binaries that were not known about by rpm and yum and built an empty ... When you install a RPM something by yum, it updates the RPM database. ... (Fedora) Re: Back Again ... Start with package dependencies and then think about just what ... the presence of a foreign RPM cause such a nervous breakdown? ... database, and imports all of the dependencies into my internal package ... provides those resources, then install the dummy package, so my internal ... (Fedora) Re: Script in GUI (Was: openSUSE as a router, how to? Solved!) ... test if there is nothing busy with using the database, ... I understand the rpm bit. ... It's not the renaming that does it. ... The partition in question is ext3. ... (alt.os.linux.suse) Re: Yum: Segmentation fault... ... rpm --rebuilddb ... My office FC6 rpm database is ... I was repeating advice I had seen many times, ... the Packages file, ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)