[NCLUG] openssh

[John L. Bass]

	On Tue, Jan 15, 2002 at 09:46:23AM -0700, nclug wrote:
	>We've seen a few "intrusions" lately on some of our client's machines
	>also with similar hiddens.  Do you know of any good way to find all
	>of the files and directories that have been hidden?

	Well, that's kind of what tripwire is meant to do...  Also, on RPM-based
	systems you can do "rpm -Va", which will check all the files it's installed
	for modifications, as long as the rpm command and it's database haven't
	been modified.

	However, I usually consider a compromised machine suspect until it's been
	re-installed.  We've run into a couple of situations where we did our best
	to clean out compromised files, everything looked pretty straightforward
	and easy to fix, and the attackers were back in within a few days, even
	though the mechanisms that had been used to originally break in were
	removed.

	The fresh re-install and carefully moving over the old data files mechanism
	always seems to work fine.

	Sean

I used to generally agree for larger servers. For appliances like firewall/routers
with very little installed, and multiple of them it is easier to clean up the trash,
than install current bits and recofigure. But you do need to get a handle on the
initial attack, and root kit, or you are certain to do it several times. This also
happens to be true of re-installs ... unless you figure it out, you are certain to
do it several times before you figure out what the attacks are.

In the past trojans have been installed in user accounts to exploit non-network
security holes. Most of these have been shell scripts with normal process names
in bin directories, and crontab or .forward triggers. So even tripwire and reinstall
don't always catch the "data" back doors without being able to compare against a
remote mirror or full dump for ALL changes in the system.

John