
Full Disclosure mailing list archives
Re: one of my servers has been compromized
From: Valdis.Kletnieks () vt edu
Date: Tue, 06 Dec 2011 12:36:35 -0500
On Mon, 05 Dec 2011 13:53:21 GMT, Dan Ballance said:
Also, am I correct to think that using something like tripwire is the best way to detect root kits properly, but that it obviously needs installing when the box is fresh and before it has been physically connected to a network?
tripwire needs to be installed on a known-good system. This is obviously *easier* before you connect to a network, but you certainly should *not* say "zomg I connected it to a network for 35 seconds, I'll not be able to use tripwire ever again". The bigger hassle with tripwire is patching your system - the recommended way is to: 1) re-run a tripwire report and verify your system looks OK. 2) patch 3) re-run tripwire to report all changed files 4) Verify that only things changed are files you intended to patch, 4a) and that you got the versions you intended 5) re-re-run tripwire to commit the new values to the tripwire database. Note that 4a is often harder than it looks - even if you have a GPG-signed RPM, there's often scripts run at install/update time that screw around with other files (I'm looking at you, every program that integrates itself into Gnome and scribbles into /etc/gconf ;)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: one of my servers has been compromized, (continued)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Dan Ballance (Dec 05)
- Re: one of my servers has been compromized Gage Bystrom (Dec 05)
- Re: one of my servers has been compromized Javier Bassi (Dec 05)
- Re: one of my servers has been compromized Dan Ballance (Dec 05)
- Re: one of my servers has been compromized Lucio Crusca (Dec 06)
- Re: one of my servers has been compromized BH (Dec 06)
- Re: one of my servers has been compromized Lucio Crusca (Dec 06)
- Re: one of my servers has been compromized Kerem Erciyes (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Valdis . Kletnieks (Dec 06)
- Re: one of my servers has been compromized Paul Schmehl (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Paul Schmehl (Dec 06)
- Re: one of my servers has been compromized Charles Morris (Dec 06)
- Re: one of my servers has been compromized Gage Bystrom (Dec 06)
- Re: one of my servers has been compromized Paul Schmehl (Dec 07)
- Re: one of my servers has been compromized Gage Bystrom (Dec 07)
- Re: one of my servers has been compromized Paul Schmehl (Dec 07)
- Re: one of my servers has been compromized Gage Bystrom (Dec 07)
- Re: one of my servers has been compromized Charles Morris (Dec 06)