On Mon, Sep 13, 2004 at 10:06:05PM -0400, Adam Aube wrote: > Kevin Mark wrote: > > > There are no top secret things on my system, so full reinstall is not an > > urgency. > > You have disk space and bandwidth - many times that's all an attacker wants. > > > I also checked 'top' for any unexpected processes and there was none.of > > course if top,ps and the kernel were replaced, then maybe I wouldn't know > > 1) Boot from a live cd and chroot to your local system > 2) Use debsums (preferably copied from the live CD) to verify the integrity > of the libraries and binaries in your installed packages > 3) Reinstall packages whose binaries or libraries do not match > > Of course, the attacker could have trojaned your local apt cache, debsums' > dependencies, apt-get/aptitude, dpkg, your startup scripts, etc. > > Eventually it just becomes easier to back up your data and wipe and > reinstall the system then to try to fully verify that the system is secure. > > Adam >
Hi Adam,
8GB (1.6 left) does not a warez archive make :-)
I looked at the ssh attack articles and the attacker left my root
.bash_history and /var/log/auth.log and attemted to download some tgz.
As the article suggesed, this guy (at least this time) was not a guru.
I check the dates of some of the suggested bin's like ps, md5sum and
they were the orig. As I said, after a dist-upgrade of 300 pkgs, much
will not be UNtouched. of couse, dist-upgrades do not affect ALL pkgs,
like some of the core one, so that would have to be 'reinstalled'.
I have not seen unexpeced segfaults, unexpected ssh activity (now sshd
is not allowing remote root logins!) or other wierdness. When I have the
inclination, I'll have fun with the new debian-installer.
Cheers,
-Kev
--
(__)
(oo)
/------\/
/ | ||
* /\---/\
~~ ~~
...."Have you mooed today?"...
signature.asc
Description: Digital signature
