[unisog] anyone heard of this?

Tom Perrine tep at SDSC.EDU
Mon Jan 28 18:56:25 GMT 2002


Smells like a root compromise, all right.  I wouldn't even trust the
md5 program on the box.  That host will lie to you.  Don't trust it
:-) 

If it was me, I would normally just re-install the box from scratch.
But since you can't do that immediately, here are some steps that will
give you a lower-assurance result.

* take an image copy of the system disk (at least)
* mount that image somewhere else as a data disk (read-only)
* run the md5s on that
* run The Coroner's Toolkit on the image to see if it can recover
  anything useful
* determine which patches were actually in place, and which were
  missing
* check off-host logs for at least last 4 weeks (you do log to a
  loghost, right?)

The goal is to find evidence of the compromise, verify the entry
method, and establish what has actually been changed (find backdoors,
etc.)  If you get the untruder's tools, that is bonus points, and may
help you determine the entry method.

If you find evidence of a root compromise, you really do want to
re-install, unless you think you had a pretty low-end attacker.

Good luck.

-- 
Tom E. Perrine (tep at SDSC.EDU) | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | Voice: +1.858.534.5000
"The French are glad to die for love..."  - Moulin Rouge



More information about the unisog mailing list