[oclug] a rooted system

Sandy Harris sandy at storm.ca
Tue Apr 24 00:53:30 EDT 2001 

> Billy Omer wrote:

> The only thing I could think of that they did to disable the .bash_history file from
> keeping a history of issued commands by the root user was a modified /bin/bash file.

Or change root's shell in /etc/passwd, or add something in a logout script or a cron
job to delete the file, or create another user with UID=0 so it gets all root's
privileges but isn't named "root", or ... 

> ... as well as making double-damn sure nothing was running that shouldn't be.

Yes, but if they've modified your 'ps' command, you still aren't sure.
 
> The only true fix I can thing of is to wipe and start clean.

I agree.

> However, the owner feels that is not an option.

He probably felt that when there was an intruder months ago. That may be why you
have the problem now.

>  ... So, I'm stuck with having to take care of this and making sure this wont
> happen again.   Anyone have any advice or suggestions that I can try?

If you cannot re-install on this machine, take another machine and do a clean
fresh install on it, from the same CDs this machine was built with. Then run
tripwire on both machines and compare results.

Look carefully at all differences discovered.

   If ps, or bash, or any other executable is different, assume it is a trojan
     and replace it.
   If scripts or configuration files are different, read both versions. If in
     doubt, replace the version on the compromised machine.
   If one machine has files not on the other, figure out why.
   If permissions are set differently, figure out why.

This is far more work, and more error-prone, than just doing a fresh install on
the compromised machine, but I think it is possible to get a secure system again
this way. If that's what the boss wants, and he's willing to pay for the time
(my guess is a week, full-time), do it his way.

Once you've gotten rid of all suspect software, configure for tighter security.
Check Bugtraq and Slashdot and CERT and sendmail.org and ... for security alerts
on the software you're using. Apply patches, adjust configurations, ...

I'm inclined to think ipchains is not just for firewalls. Any server exposed
to the net should run ipchains (or netfilter on 2.4 kernels) to limit its
exposure, whether or not there's a firewall in front of it.

More information about the OCLUG mailing list