[opensuse] package verification?
All, I had a new client call me today. They believe their system has had an intruder in it. Possibly, just a worm/robot. Possibly a human. (The system is now offline.) I believe it's running an unpatched version of SLES 9.0 I'd like to verify if any of the executables have been altered from the beginning. Is there a way to have RPM / Yast do that? Thanks Greg -- Greg Freemyer Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer First 99 Days Litigation White Paper - http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 03 November 2008 11:32:00 pm Greg Freemyer wrote:
I had a new client call me today. They believe their system has had an intruder in it. Possibly, just a worm/robot. Possibly a human. (The system is now offline.)
I believe it's running an unpatched version of SLES 9.0
I'd like to verify if any of the executables have been altered from the beginning.
Is there a way to have RPM / Yast do that?
Hi Greg, rpm -V would verify the installed packages against the checksum in the local database. But if the system has been compromised, there's no reason to trust the local database. After all, what would have stopped the attacker from installing his/her version of a certain package through rpm? Or to even modify rpm in some way so that it can't be trusted? The only way to be sure that no executables have been altered, would be to verify the checksum of each executable against the checksum of that file at system installation. You'd need a read-only medium with that checksum information on it, like a CD-ROM and an intrusion detection package like AIDE. But if your client is running an unpatched system, I don't think they would have the prudence to have such a CD-ROM. You might run chkrootkit and/or rkhunter (again, from CD) and see what that yields, but really the only way to be sure is a complete reinstall from guaranteed clean, uncompromised media. After all, if the attacker is good (always assume he/she is) there's no telling in how many ways the system is compromised. But let's start at the beginning...why do they believe that their system has been compromised? HTH, Joop ------------------------------------------------------------ Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-11-04 at 08:31 +0100, Joop Beris wrote:
The only way to be sure that no executables have been altered, would be to verify the checksum of each executable against the checksum of that file at system installation. You'd need a read-only medium with that checksum
Or against another system installed in the same way, with the same updates.
information on it, like a CD-ROM and an intrusion detection package like AIDE. But if your client is running an unpatched system, I don't think they would have the prudence to have such a CD-ROM.
improbable. :-)
You might run chkrootkit and/or rkhunter (again, from CD) and see what that yields, but really the only way to be sure is a complete reinstall from guaranteed clean, uncompromised media. After all, if the attacker is good (always assume he/she is) there's no telling in how many ways the system is compromised.
But let's start at the beginning...why do they believe that their system has been compromised?
A 9, unpatched... must have many holes. Could even be a script kiddie. Now they'll learn to update. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkQGZUACgkQtTMYHG2NR9X4JQCgiD1Xm+joBYgbOy6Gl5Cpstz7 YUsAnA/kw1xRdDWFQGa5bOi76kTOLMsp =WHqP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 04 November 2008 10:44:51 am Carlos E. R. wrote:
On Tuesday, 2008-11-04 at 08:31 +0100, Joop Beris wrote:
The only way to be sure that no executables have been altered, would be to verify the checksum of each executable against the checksum of that file at system installation. You'd need a read-only medium with that checksum
Or against another system installed in the same way, with the same updates.
Okay, granted...but I sincerely hope they don't have more similarly unpatched systems hanging around on their network. If so, the attacker could have penetrated further into the network, not just in this one system (provided the network was set up in such a way to allow that to happen, of course).
A 9, unpatched... must have many holes. Could even be a script kiddie. Now they'll learn to update.
True, but often people shout "OMG, I've been hacked", while there is something completely different going on with their system, which is causing it to behave unexpectedly. Without knowing what symptoms the system is showing, it's impossible to tell. A script kiddie is most likely...since a real hacker would be a lot better at covering his/her tracks. Joop ------------------------------------------------------------ Dit bericht is gescand op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. Mailscanner door http://www.prosolit.nl Professional Solutions fot IT -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-11-04 at 11:01 +0100, Joop Beris wrote:
On Tuesday 04 November 2008 10:44:51 am Carlos E. R. wrote:
On Tuesday, 2008-11-04 at 08:31 +0100, Joop Beris wrote:
The only way to be sure that no executables have been altered, would be to verify the checksum of each executable against the checksum of that file at system installation. You'd need a read-only medium with that checksum
Or against another system installed in the same way, with the same updates.
Okay, granted...but I sincerely hope they don't have more similarly unpatched systems hanging around on their network. If so, the attacker could have penetrated further into the network, not just in this one system (provided the network was set up in such a way to allow that to happen, of course).
Ah, I didn't express myself quite well. I meant installing another system, now, off-network, and compare.
A 9, unpatched... must have many holes. Could even be a script kiddie. Now they'll learn to update.
True, but often people shout "OMG, I've been hacked", while there is something completely different going on with their system, which is causing it to behave unexpectedly. Without knowing what symptoms the system is showing, it's impossible to tell.
Of course. I tend to think the worst, usually, but better make sure.
A script kiddie is most likely...since a real hacker would be a lot better at covering his/her tracks.
A spambot, perhaps... converted this machine into a slave for their things. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkkQKXwACgkQtTMYHG2NR9VMgQCfaxlhbfl+w4L1A5KoKSVm1Rmr BmMAnjWTJIDMS/1tDWmf08stL/sTKEiB =X8sc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carlos E. R.
-
Greg Freemyer
-
Joop Beris