Re: hacked.e-microsoft.net attacks!!!

From: Rick Moen (rick_at_linuxmafia.com)
Date: 09/13/05 

Date: Tue, 13 Sep 2005 12:15:14 -0400

darkog <kaliski_staddon-usenetATyahooDOTcom> wrote:

[root-compromised Linux host:]

> can we implement some sort of OS snap shot system and revert back to a
> safer point in time before the security breach? perhaps something like M$
> system restore (no flames pls) but for a *nix based OS?

Sure. Consider for a moment what files _cannot_ (any longer) be trusted
on a root-compromised system. Those parts would need to be
restored/reimplemented from a trustworthy backup or trustworthy
installation media, as appropriate:

1. All executable files and libraries.
2. All system configuration files.
3. All user dotfiles.

You have to be prepared to throw away #1 (executables/libs); in general
re-do #2 (system config) by hand, referring to your compromised config
files but not reusing them; and advise your users to not screw up
regarding #3 (and preferably somehow prevent them from doing so).

So: You're going to want to keep good backups of your and your users'
data files (from all the myriad of places where such files live), a tarball
of /etc (e.g., using "cd / ; tar czf /tmp/etc-$(date --iso-8601).tar.gz");
and some sort of snapshot of your system's package database. Obviously,
how you do the last of those is distribution-dependent.

> can we use or follow some sort of tried and true method of exporting our
> config files to be able to quickly bring a duplicate system up and running
> in much fast time frame?

The above Works for Me.<tm> 

-- 
Cheers,                 "Due to circumstances beyond our control, we regret to
Rick Moen               inform you that circumstances are beyond our control."
rick@linuxmafia.com                                              --Paul Benoit