[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Removing ShKit Root Kit

To: "Schmehl, Paul L" <pauls@utdallas.edu>
Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
From: Alexander Schreiber <als@thangorodrim.de>
Date: Mon, 22 Dec 2003 23:16:02 +0100

On Mon, Dec 22, 2003 at 01:52:57PM -0600, Schmehl, Paul L wrote:
> > -----Original Message-----
> > From: full-disclosure-admin@lists.netsys.com 
> > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of 
> > Alexander Schreiber
> > Sent: Monday, December 22, 2003 12:24 AM
> > To: Chris
> > Cc: full-disclosure@lists.netsys.com
> > Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
> > 
> > There is exactly one way to properly clean up a rooted box: 
> > backup the system (for later analysis and for keeping any 
> > data that might be needed), wipe the disks and reinstall from 
> > known clean install media, update the system to get all 
> > current security updates und properly secure the box.
> >
> This advice is common, and it's always mystified me.  Why would you want
> backups of the "data"?  If the box is compromised, you can't trust
> *anything* on it, can you?  How can you know for certain that "data"
> isn't a cleverly concealed backdoor?
> 
> I can understand backing up the disk for offline analysis, but I would
> think you'd want to restore your data from known good copies, wouldn't
> you?  And if you don't have known good data backups, well, then consider
> it a lesson learned and do it right the next time.

Keeping a backup of the data of the compromised box can be useful for
several purposes:
 - Offline analysis: how did cracker get into the box and what did he do,
   once he owned it? 
 - What data was on the box (unless deleted by the cracker) and must
   therefore considered compromised?
 - Maybe it needs to be kept as evidence (but then better follow proper 
   forensic data duplication procedures).
 - If you don't have current backups of the data and the data was worth
   keeping (most likely true) slap yourself silly with a wet towel 
   because you (or your management) have been stupid. Try to recover the
   data from the box, but consider all of it well and truly mangled,
   after all, if your secret source code was on this box, the cracker
   might as well have hidden a nasty backdoor in there ...

Of course, restoring the data from known good backups is always better.

If you have proper backups, don't care for the analysis and just want to
have the machine back working, then just wipe, reinstall, secure, restore
and be done with it.

Regards,
        Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Removing ShKit Root Kit
  - From: "Schmehl, Paul L" <pauls@utdallas.edu>

Prev by Date: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by Date: RE: [Full-Disclosure] Removing ShKit Root Kit
Previous by thread: Re: [Full-Disclosure] Removing ShKit Root Kit
Next by thread: RE: [Full-Disclosure] Removing ShKit Root Kit
Index(es):
- Date
- Thread