Mailinglist Archive: opensuse-security (685 mails)
| < Previous | Next > |
Re: [suse-security] compromised SuSE7.3?
- From: Michael Appeldorn <appeldorn@xxxxxxxxx>
- Date: Thu, 07 Feb 2002 17:16:48 +0100
- Message-id: <A0FBFCDASHGEBJDZSO43TPMJSNA98.3c62a870@pc_100_32>
>> If you think its not only paranoia thank check this url 4 forensic
>> analysis.
>Is it a question of paranoia? Are there no ways to ensure that the
>system is clean while keeping it alive?
You'll destroy attackers marks.
>In evidence.txt they checked
>the md5sums of the installed packages. Which database do they use as
>reference?
the original database of the attacked machine
rpm -V -a --root=`pwd`/mnt/ | grep ^..5
When I check all binaries as recently described, there is
>still the possibility, that the rpm-database is corrupted itself, isn't
>it?
Yep
>Or is the result, that the md5sums of all the binaries were ok
>sufficient to declare this system being clean?
Nope
--รถ--
But,Me meant the ways to examine yours system 4 attackes marks, e.g.
grabbing the whole drive via >dd /dev/hdX | grep "part of date" as shown
in the document. Read the whole doc to see all possibilities.
And examine the files as ps/ifconfig/lsof 2. E.g. you can use /proc to seek
suspicous processes, if not any kernel-modules are injected.
Michael Appeldorn
>> analysis.
>Is it a question of paranoia? Are there no ways to ensure that the
>system is clean while keeping it alive?
You'll destroy attackers marks.
>In evidence.txt they checked
>the md5sums of the installed packages. Which database do they use as
>reference?
the original database of the attacked machine
rpm -V -a --root=`pwd`/mnt/ | grep ^..5
When I check all binaries as recently described, there is
>still the possibility, that the rpm-database is corrupted itself, isn't
>it?
Yep
>Or is the result, that the md5sums of all the binaries were ok
>sufficient to declare this system being clean?
Nope
--รถ--
But,Me meant the ways to examine yours system 4 attackes marks, e.g.
grabbing the whole drive via >dd /dev/hdX | grep "part of date" as shown
in the document. Read the whole doc to see all possibilities.
And examine the files as ps/ifconfig/lsof 2. E.g. you can use /proc to seek
suspicous processes, if not any kernel-modules are injected.
Michael Appeldorn
| < Previous | Next > |