Full Disclosure mailing list archives

Re: one of my servers has been compromized


From: Valdis.Kletnieks () vt edu
Date: Tue, 06 Dec 2011 12:36:35 -0500

On Mon, 05 Dec 2011 13:53:21 GMT, Dan Ballance said:

Also, am I correct to think that using something like tripwire is the best
way to detect root kits properly, but that it obviously needs installing
when the box is fresh and before it has been physically connected to a
network?

tripwire needs to be installed on a known-good system.  This is obviously
*easier* before you connect to a network, but you certainly should *not*
say "zomg I connected it to a network for 35 seconds, I'll not be able to
use tripwire ever again".

The bigger hassle with tripwire is patching your system - the recommended
way is to:

1) re-run a tripwire report and verify your system looks OK.
2) patch
3) re-run tripwire to report all changed files
4) Verify that only things changed are files you intended to patch, 
   4a) and that you got the versions you intended
5) re-re-run tripwire to commit the new values to the tripwire database.

Note that 4a is often harder than it looks - even if you have a GPG-signed
RPM, there's often scripts run at install/update time that screw around with
other files (I'm looking at you, every program that integrates itself into
Gnome and scribbles into /etc/gconf ;)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: