RE: strange telnet behavior

From: Snow, Corey (CSNOW@ddpwa.com)
Date: 02/22/02 

From: "Snow, Corey" <CSNOW@ddpwa.com>
To: incidents@securityfocus.com
Date: Fri, 22 Feb 2002 13:55:29 -0800

You should *always* wipe and reload after being rooted, or alternatively run
a full comparison of the system with a trusted source. A rootkit may not
change much itself but the attacker who used the rootkit can change
anything, add trojans, compromise other system areas, leave backdoors,
create accounts, hide data, etc. All of these things are dependent on the
skill and motivation of the attacker.

If a system has been compromised, it is impossible to ever fully "trust"
that system again unless it has been completely restored from known good,
trusted sources or every system file has been compared to a known trustable
version. Simply eliminating the rootkit *may* eliminate your immediate
problem, but you can never be absolutely positive that the system does not
remain compromised in some more subtle way.

What to do after being compromised (IMO) (YMMV):

Remove system from network. DO NOT RECONNECT SYSTEM UNTIL IT IS COMPLETELY
REBUILT. Use floppy disks or CDs to move files to and from system during
rebuild process. Never copy anything over the network until system is fully
rebuilt and all patches, security fixes, etc have been applied.

Make complete backup of all system files, drives, etc. for analysis of the
attack. If system can be analyzed as is (in other words, you don't need the
system back up ASAP), do analysis there. Otherwise restore backups to
another box and analyze.

Reformat every partition on the machine. Utterly wipe out all files,
executables, data, etc. If you have data you need to recover/restore, do it
from backups, and ONLY EVER RESTORE DATA from a box that has been
compromised. Ensure that before you move on, the box is totally lobotomized-
even "data-only" partitions should (must) be wiped and recreated.

Reinstall your OS of choice from *known good* sources. Or a backup of the
system made prior to the compromise is another option. The best option would
be a reinstallation of the operating system followed by a restoration of
data only from a backup made prior to the compromise of the system.

Harden your operating system and network environment as appropriate.
Remember to learn the lesson you were taught by having been rooted before.
Plug any and all holes known in your system, and ensure your environment
protects as much as possible against future attacks.

Restore any data (html files, etc) to the box that is necessary for
operation. Only restore data- never, ever restore from a compromised system
any binary, script, or anything else that can be executed or contains
instructions. Such items on a compromised system must forevermore be treated
as suspect. Custom scripts, etc should be inspected carefully, assuming that
no "trusted" source is available (a script you wrote, for example, that you
have no recent backup for).

Before connecting to the network again, make sure that any and all passwords
on the system are changed. Some rootkits archive and/or reveal passwords, so
if you continue to use the same passwords, the attacker no longer even needs
the rootkit or any backdoors- the front door is wide open.

This may seem extreme, but if you want to ever trust the system again, you
really should do more than just plug the hole created by the rootkit.
There's really no way of knowing how much damage the attacker has done since
the rootkit went in. In my opinion, a compromised system must always be
treated as suspect until it has been totally rebuilt. Draconian, to be sure.
Others may have differing opinions on the subject, and you should listen to
them as well. :)

Another way to recover from a system compromise is to make a file-by-file
comparison of all the files on the system with a trusted archive. This is
very painstaking, but effective, if done properly. Tools exist to help with
this process, but unless you know already exactly how big and what checksums
every operating system file has, you may be out of luck.

You might also read some of the following.

http://www.cert.org/archive/pdf/external-incidents.pdf
http://www.cert.org/security-improvement/practices/p051.html
http://online.securityfocus.com/infocus/1184

Regards,

Corey Snow

> -----Original Message-----
> From: Gideon Lenkey [mailto:glenkey@infotech-nj.com]
> Sent: Wednesday, February 20, 2002 8:41 PM
> To: Bryan Andersen
> Cc: Vladimir Ivaschenko; incidents@securityfocus.com
> Subject: Re: strange telnet behavior
>
>
> On Tue, 19 Feb 2002, Bryan Andersen wrote:
>
> /* Make a backup. wipe and reload. Then restore your data only.
> /* It has been rooted. Telnet should not be doing that at all.
>
> You really don't have to wipe and reload to recover from this
> root kit.
> It really doesn't change much. See the instructions in the archive:
>
> http://online.securityfocus.com/archive/75/249597
>
> --Gideon
>
> * Gideon J. Lenkey, CISSP * PGP Key ID 0x92556BEC *
> * InfoTech Associates, Inc. * pgp.mit.edu *
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

#########################################################
The information contained in this e-mail and subsequent attachments may be privileged,
confidential and protected from disclosure. This transmission is intended for the sole
use of the individual and entity to whom it is addressed. If you are not the intended
recipient, any dissemination, distribution or copying is strictly prohibited. If you
think that you have received this message in error, please e-mail the sender at the above
e-mail address.
#########################################################

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Need help removing malware
    ... The free version is only a on-demand scanner. ... Rootkit Revealer but you need to know how it works and it doesn't do ... The output you show from BitDefender is not very explanatory. ... System Restore which clears out all old restore point files, ...
    (alt.comp.anti-virus)
  • Re: OpenBSD rootkit
    ... intruder left other droppings along in there if they used a standard ... then you can then find out which rootkit they ... > There's a lil diff between a rootkit and a trojaned sshd. ... There were obvious signs of compromise: ...
    (Incidents)
  • Re: Ran Windows Update today and after it finished got a virus from it
    ... > Reboot tapping F8 each second. ... > If you disable Windows during the repair, even an infected Restore Point may ... Standard antivirus software packages such as Norton and McAfee are ... unable to find many types of rootkit, because of the way rootkits work. ...
    (microsoft.public.windowsupdate)
  • Re: Windows XP Virus
    ... the root kit was found "hiding" in the restore volume! ... unless you or the user selected that particular Restore Point. ... the root kit was able to "phone home" ... The rootkit that you say was "hiding" in the restore point obviously wasn't hidden! ...
    (microsoft.public.windowsxp.general)
  • Re: exploit or human
    ... It sounds like a script kiddies compromise with worm infection too. ... Is there any of this RedHat 7.3 server running wu-ftpd ftp server or a ... >so on) while some other software runs just fine makes the rootkit ...
    (Incidents)