Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] recovering from a possible hack
On Wed, 10 May 2000, Chrissy LeMaire wrote:
>hey all,
>Ive got a friend that possibly has a hacked machine.. and has recently
>purchased 6.4. Does he have to format the drive and start from almost
>scratch or will just Updating the system take care of the problem?
>
>thanks much,
>Chrissy

Just updating the system and forgetting about the cracker is probably
not the best idea. First, this will not take care of cracked user accounts,
e.g. by .rhosts files in user home directories. Second, you will lose
all evidence of the hack if you do not back up a significant part of the
system prior to reinstalling. If you have no clue how the cracker might
have broken into the system you will probably end up will a similar bad
default configuration in the newly installed system. My point is that you
may learn a lot from a hacked system and be prepared the next time
someone wants to get into your system. Take your time to investigate
the system logs and look for installed root kits (e.g. by examining suspicious
text strings in system binaries, like ps, ls, netstat, lsmod, find etc. and
modified init scripts, by looking for anomalous accounts in passwd,
hidden dot-dot-blank directories ...). Or you might even consider
backing up your system, installing a neat kernel module to hide your
own packet sniffer, logging anomalous network traffic to another
host and just letting the cracker have fun for a while.

On the other hand, most people simply do not have the time to do
all that (though it _can_ be fun and interesting). In this case, installing
the system from scratch (including formatting the drive) is the only way to
be sure you don't leave any backdoors open.

Cheers,
Martin
--
Martin Leweling
Institut fuer Planetologie, WWU Muenster, Germany
E-Mail (work): lewelin@xxxxxxxxxxxxxxx

< Previous Next >
References