Re: changing root password with Knoppix?




Colin McKinnon wrote:
news@xxxxxxxxxxxxxx wrote:

I recently just had a FC2 box hacked.
Unfortunately we simply can't take it offline at the moment

OK so far.

because we
have outside people needing to use files on it.

erm, no.


While the crackper appeared to simply install a spam relay (didn't even
delete the bash_history or anything,)

You obviously don't KNOW that's all the cracker did. Take some time to think
about why not.

I don't want to take any chances
and need to change passwords on it, hoping he doesn't have bash storing
information.


Ah, hope, yes I forgot about that reliable method of ensuring security - you
might try prayers and/or sacrifice too.

It was recommended I use Knoppix to change the root password. I found a
thread where Lew P. instructed someone how to delete the root password:

<snip>

But, when I boot back up with the system, IF bash IS being logged, when
I change the root password won't it be logged?

That's the least of your worries - apart from anything else - this tutorial
isn't going to work on your machine.

Like that?
(LOL I love this from the badblocks man: "This can be overriden using
the -f flag, but should almost never be used --- if you think you're
smarter than the bad-blocks program, you almost certainly
aren't.")

(I'm sooooooo tempted....)

Let's try again.
You WILL backup ONLY the files you MUST keep from this server.
You WILL check them for executable content.
You WILL reformat the hard disk and reinstall from distribution media
You WILL install all vendor patches before running any services (preferably
before plugging it into the internet)
You WILL install an IDS to ensure that you can recover next time
You WILL learn how to use it
You may now restore the files you carried over from the previous life of the
box.
You WILL keep your security procedures under regular monitoring and review.


How'bout this:

You WILL not assume that I WASN'T planning on only backing up what we
must keep.
You WILL realize that you do not know that we are overnighting new HD's
from Newegg to put into a new machine that is going to be replacing the
old, compromised one.
You WILL not assume that I won't install the patches, or that I wasn't
before by running nightly "yum" updates (FedoraCore) or be subscribed
to the Slackware lists alerting me of new patches with the new server
(that will, to be redundant, be running Slackware.)
You WILL not assume that I don't already have a separate IP-Cop serving
as an IDS box, and that the compromised system was in the DMZ as it was
being used as a Web server and thus was required to have SOME
compromiseable access to the Internet.

See my reply to the other rather rude, assuptive, and elitest responder
for information as to why we're taking the chance with keeping the
system up for another cpl days, and tedious information regarding
getting new hardware which implies our copying only necessary data onto
a rebuilt system, and reinforcement of my knowledge that I'm NOT
certain that's all that was done to the system, but am mostly sure
based on evidence.
The fact I'm not possitive is evidenced in the fact that I'm completely
rebuilding the system.

Thank you.

(Wow, it's funny. I thought the Slackware people over in that newsgroup
would be pricks, but they've turned out to be extremely helpful,
respectful, great people. Why is it over here I get slammed by elitest
jerks who evidently were born with all knowledge and never had to learn
anything themselves through experience or "the hard way" and so cut no
slack. Weird.)

.



Relevant Pages

  • Re: 4 patches wont install - 835732, 840987, 828035, 824105
    ... running Win 2003 Standard, joined to domain but not a DC, ... Did find on another post though that if you install kb840315 and kb841533 ... our two servers were upgraded from Windows 2000 Server ... I've been able to install all patches but 4: ...
    (microsoft.public.windows.server.general)
  • Re: SBS 2003 will not boot up
    ... Then I reboot the server BEFORE installing any patches, ... Then I install patches. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant download critical patches from Win Update
    ... to do with the ISA server blocking the update. ... Is there any particular ports that Windows Update uses that ISA doesn't let ... > patches I require are ... >>listed but when I press install I get a Windows Update ...
    (microsoft.public.windows.server.sbs)
  • Re: Dear Microsoft... Rebooting servers id NOT security..
    ... > Duh - that's why you install patches during your companies scheduled ... The problem is with critical security patches.. ... the concept of rebooting is simply wrong for a server. ...
    (microsoft.public.windows.server.security)
  • Re: OpenBSD vs. Linux
    ... > which should I install. ... > I've got very good background in Linux, specially Slackware and Red Hat. ... > server with a few important domains, so I need a really secure one. ...
    (comp.unix.bsd.openbsd.misc)