[lug] R00tKIT!! Raah!
bgiles at coyotesong.com
Tue Jun 14 20:42:04 MDT 2005
David Anselmi wrote:
> I wouldn't trust cleaning the system unless I had a way to verify all
> the files on it. Most of those came from packages, so if you can
> compare checksums between your files and those from the official
> packages (using only programs you've already verified) you might be good.
I wouldn't trust checksums since an undetected rootkit may still
change the results. But I don't think it's hard to reinstall
packages. E.g., in Debian it's
# apt-get install --reinstall procps
to reinstall procps. The paranoid would run # apt-get clean first
and hardcode the ip addresses in /etc/apt/sources.list for the
duration. You could get a list of every installed package with
dpkg -l. Just leave the config files as they were. (Although you
might want to eyeball them anyway.)
That's still not 100% reliable against a good rootkit, but as I
mentioned earlier it's always a matter of balancing the pain.
> nor would it be easy to verify all the non-package files you
> have. So in the end I think rebuilding is a better choice (less time
> for a reasonable degree of certainty you're clean).
Reinstalling third party software might be a serious problem. We
have such a package, and it required several days of on-site
support to get it working. We have backups, of course, but the
original software requires serious support and that product went
"Windows only" many years ago. The Unix version is no longer
supported. In fact that's the main reason why we decided to risk
an attempt to scrub the system.
More information about the LUG