hey all, Ive got a friend that possibly has a hacked machine.. and has recently purchased 6.4. Does he have to format the drive and start from almost scratch or will just Updating the system take care of the problem? thanks much, Chrissy
On Wed, 10 May 2000, Chrissy LeMaire wrote:
hey all, Ive got a friend that possibly has a hacked machine.. and has recently purchased 6.4. Does he have to format the drive and start from almost scratch or will just Updating the system take care of the problem?
thanks much, Chrissy
Just updating the system and forgetting about the cracker is probably not the best idea. First, this will not take care of cracked user accounts, e.g. by .rhosts files in user home directories. Second, you will lose all evidence of the hack if you do not back up a significant part of the system prior to reinstalling. If you have no clue how the cracker might have broken into the system you will probably end up will a similar bad default configuration in the newly installed system. My point is that you may learn a lot from a hacked system and be prepared the next time someone wants to get into your system. Take your time to investigate the system logs and look for installed root kits (e.g. by examining suspicious text strings in system binaries, like ps, ls, netstat, lsmod, find etc. and modified init scripts, by looking for anomalous accounts in passwd, hidden dot-dot-blank directories ...). Or you might even consider backing up your system, installing a neat kernel module to hide your own packet sniffer, logging anomalous network traffic to another host and just letting the cracker have fun for a while. On the other hand, most people simply do not have the time to do all that (though it _can_ be fun and interesting). In this case, installing the system from scratch (including formatting the drive) is the only way to be sure you don't leave any backdoors open. Cheers, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster, Germany E-Mail (work): lewelin@uni-muenster.de
Sorry..I should be a little more clear.. the hacked machine is an older version of SuSe.. 6.1 or 6.3. We cant find any evidence that the machine was actually rooted.. I recommended a backup, format, new install of 6.4.. but the machine has alot of data and it will be really time consuming. I reconsidered and thought that since 6.4 will replace practically everything..including the kernel and all binaries..is it worth the format? Chrissy At 11:08 AM 5/10/2000 -0700, Chrissy LeMaire wrote:
hey all, Ive got a friend that possibly has a hacked machine.. and has recently purchased 6.4. Does he have to format the drive and start from almost scratch or will just Updating the system take care of the problem?
thanks much, Chrissy
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hello!! On 10-May-00 Chrissy LeMaire wrote:
We cant find any evidence that the machine was actually rooted..
I think, its more secure, if you change all passwords, even the root one.
I recommended a backup, format, new install of 6.4.. but the machine has alot of data and it will be really time consuming. I reconsidered and thought that since 6.4 will replace practically everything..including the kernel and all binaries..is it worth the format?
My personal opinion is, that you should do the following steps:
1.) close the system, shut down all network link (by software & hardware)
2.) make a backup of the hole system (=> if you want to analyze is later)
3.) reinstall the hole system (don't forget to format)
4.) now, the first thing you should do is, updating and fixing all services
(the kernel and so on) => try to find security fixes!!
5.) enter new passwords, don't use the old one
6.) install the rest of your system (additional software & data)
7.) shut down all unsecure services and useless services (useless for you):
+ telnet => try using ssh (it's crypted by a 768bit key)
+ rsh and so on
It looks, that you've got a lot of work, but I think, it's the most secure way.
At the end, make a portscan of your system (use saint or other software) and
close all ports you don't need.
Johannes Vieweg
P.S.: Sorry bout my bad english.
----------------------------------------------------
Key-ID: 0xCA9F07CC
Fingerprint: AA05 1213 6AA3 918C F3AB 922D 4A26 1A41 CA9F 07CC
E-Mail: Johannes Vieweg
On Wed, 10 May 2000, Chrissy LeMaire wrote:
hey all, Ive got a friend that possibly has a hacked machine.. and has recently purchased 6.4. Does he have to format the drive and start from almost scratch or will just Updating the system take care of the problem?
to be real sure, that no backdoors are left active after the update he has to _install_ from scratch. Could he verify how these ppl get access to his machine? Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Thank you all for your input. We have decided to go ahead, get a new hdd and install suse from scratch there.. Thomas, the intruders got in thru another hacked machine. A user account was hijacked, and we arent too sure if root was stolen too or not.. the evidence left on the machine may well be a honeypot.. The other hacked machine has been banned from his comp. Thanks again, Chrissy
to be real sure, that no backdoors are left active after the update he has to _install_ from scratch.
Could he verify how these ppl get access to his machine?
participants (4)
-
Chrissy LeMaire -
Johannes Vieweg -
Martin Leweling -
Thomas Biege