[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Removing ShKit Root Kit

"Schmehl, Paul L" to Alexander Schreiber:

> > There is exactly one way to properly clean up a rooted box: 
> > backup the system (for later analysis and for keeping any 
> > data that might be needed), wipe the disks and reinstall from 
> > known clean install media, update the system to get all 
> > current security updates und properly secure the box.
> >
> This advice is common, and it's always mystified me.  ...

Me too...

> ...  Why would you want
> backups of the "data"?  If the box is compromised, you can't trust
> *anything* on it, can you?  How can you know for certain that "data"
> isn't a cleverly concealed backdoor?

...though for a slightly different reason.

> I can understand backing up the disk for offline analysis, ...

I can't.

These days drives are really cheap -- ludicrously cheap.  You'll get a 
fifty to several hundred percent drive size increase for the same 
outlay as the initial drive cost depending on how long it is since the 
box was first built (unless it was brand new or you are talking about 
truly monster arrays where pricing is somewhat less mobile).

If you _imagine_ that you might engage the labour/time/expertise 
expense of any kind of forensic activity, clone the drive or backup the 
data (for whatever your reasons, but I agree with Paul's comments about 
the sanity of trusting any data off the compromised box as a backup 
source for restoring a new live system), keep the original drive 
physically separated from any machine (except for any future needs to 
make further image copies, etc or to prove such a copy is a true 
likeness), install a new drive in the formerly compromised box, rebuild 
the system on the new drive, harden, etc, etc reconnect to the network.

This is overkill if you do not have true forensic requirements, but 
often you will not know that for sure until you are part way through 
the analysis (for example, it turns out there is evidence that the 
compromise was likely done by a competitor to steal something valuable 
that was then "covered up" to look like a typical skiddie web server 
defacement).

> ... but I would
> think you'd want to restore your data from known good copies, wouldn't
> you?  And if you don't have known good data backups, well, then consider
> it a lesson learned and do it right the next time.

Yep...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html