Date: Sat, 19 Apr 2003 15:19:36 -0500 From: "L. Adrian Griffis" <adrian@nerds.org> Subject: Re: ACK! How to fix a compromised system? Message-ID: <Pine.LNX.4.10.10304191500320.29872-100000@cyclone>
> I've got a box that someone put a "toolz" kit on yesterday. Any ideas on
> how to cleanse the beast?
I know this is not the answer you want to hear, but the answer is to
backup the old system and reinstall. While you are contemplating
how much of a nuisance this is and how much you don't want to do it,
consider the following common things that script kiddies often do
when takin gover a system:
o Install trojanized versions of netstat that will not show the
ports on which the backdoors they install are listening.
o Install Kernel modules to hide ports from view in the "/proc"
filesystem, so that nothing, not even netstat, will show
the ports on which backdoors listen.
o Install trojanized versions of 'ls' to hide specific files
from view.
o Install kernel modules to hide files and directories from
view.
o Install kernel modules to hide specific processes from view.
o Install kernel modules that cause 'exec' calls to specific
files to be diverted to other files. This way, tools like
tripwire can open the original versions of these files and
see the expected checksums for them, but when executed,
another file is designated to be loaded into memory, instead.
o Install kernel modules to hide the presence of other kernel
modules.
Note that every one of these techniques has been seen in the wild.
Not one is in any sense purely a theoretical concern. Are you really
sure you can defeat all the incarnations of each of these approaches
to securing a foothold on your system?
None of us likes reinstalling systems, but there are reasons why
people in the security business will advise you to do so, when you
think a system has been compromised.
Adrian