[oclug] a rooted system
Strosberg, Bill
bill.strosberg at rcpsc.edu
Tue Apr 24 08:08:20 EDT 2001
Billy:
Please take the advice of the OCLUG members, and completely re-install the
machine. Although there is a lot of merit in Sandy's explanation of how to
avoid a complete re-install, you will never know with 100% certainty that
the machine is truly clean.
It seems you have some definite preferences to distribution, although I
would say that it would probably be easier to keep the machine as a RedHat
box. Configuration files, file system layout are easier to duplicate if
there are no fundamental differences between the source and target
distributions.
RedHat is no worse than other distributions regarding security - many
security alerts are distribution independant. Since RedHat has a larger
user base, it will statistically show problems first and more often. Having
a dramatically larger user base testing, finding and fixing exploits follows
the Unix/Open Source security model better than security through obscurity.
Regardless of distribution, they all need to be updated, patched and checked
regularly.
You MUST run a strong ipchains (or netfilter) ruleset with extensive logging
on the box. You should have a cron task regularly (I do this every few
hours) copying, compressing and archiving your logs as a backup to the
actual logs themselves. Very few script kiddies will search for compressed
archives of logs when trying to cover their tracks.
My other concerns that do not seem to have been addressed so far are that
your client's network has been compromised, not just one machine. By the
time you notice one mouse (or rat) in your house you can have complete
assurance that there are ten others already in residence. Given the
client's laissez-faire attitude towards security in general, remember to
document the hell out of any suggestions you make and things that you've
done. FWIW, it smells like a situation where you may be made into a
scapegoat to be blamed for problems not of your making.
I've had to clean up boxes after they've been root-kitted, and do you ever
gain an appreciation for the value of prevention over cure quickly.
--
Bill Strosberg
More information about the OCLUG
mailing list