Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

Re: Removing ShKit Root Kit
From: Alexander Schreiber <als () thangorodrim de>
Date: Mon, 22 Dec 2003 23:16:02 +0100
On Mon, Dec 22, 2003 at 01:52:57PM -0600, Schmehl, Paul L wrote:

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Alexander Schreiber
Sent: Monday, December 22, 2003 12:24 AM
To: Chris
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Removing ShKit Root Kit

There is exactly one way to properly clean up a rooted box: 
backup the system (for later analysis and for keeping any 
data that might be needed), wipe the disks and reinstall from 
known clean install media, update the system to get all 
current security updates und properly secure the box.


This advice is common, and it's always mystified me.  Why would you want
backups of the "data"?  If the box is compromised, you can't trust
*anything* on it, can you?  How can you know for certain that "data"
isn't a cleverly concealed backdoor?

I can understand backing up the disk for offline analysis, but I would
think you'd want to restore your data from known good copies, wouldn't
you?  And if you don't have known good data backups, well, then consider
it a lesson learned and do it right the next time.


Keeping a backup of the data of the compromised box can be useful for
several purposes:
 - Offline analysis: how did cracker get into the box and what did he do,
   once he owned it? 
 - What data was on the box (unless deleted by the cracker) and must
   therefore considered compromised?
 - Maybe it needs to be kept as evidence (but then better follow proper 
   forensic data duplication procedures).
 - If you don't have current backups of the data and the data was worth
   keeping (most likely true) slap yourself silly with a wet towel 
   because you (or your management) have been stupid. Try to recover the
   data from the box, but consider all of it well and truly mangled,
   after all, if your secret source code was on this box, the cracker
   might as well have hidden a nasty backdoor in there ...

Of course, restoring the data from known good backups is always better.

If you have proper backups, don't care for the analysis and just want to
have the machine back working, then just wipe, reinstall, secure, restore
and be done with it.

Regards,
        Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]