[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Removing ShKit Root Kit

A dissenting view.

Okay, you (finally) figured out that your machine has been compromised
(and that "finally" is, upon my word, a personal reflection of how seldom
anyone is paying attention, but that's another thread). Without question,
IMHO, the machine's data cannot be trusted. Back it up (for the obvious 
reasons that even bad data is better than no data) and plow that sucker.

Here's why - you don't know how I got in, or whether I can get back in,
and while rebuilding a box takes time, the forensics will take longer.
Suppose I rooted you using Apache (for example). Which module? Which 
page? Will a version upgrade fix it? Did I even *use* Apache (perhaps
it only *looks* like Apache but in reality it's a Javascript trojan)?
Again, the point is that you cannot be certain that anything (checksums
can be calculated by people who are smart enough to find vulnerabilities
in your machine - I once figured the checksum on a binary and replaced
it and tripwire was none the wiser...guess why?) is valid. You can do
a version (or even a release) upgrade on the box, but unless you know
for certain (and you don't) which files were compromised, you cannot know
for certain that the upgrade will patch the hole. That especially goes for
Windows (anyone care to do a 'dir/s/a mfc42.dll' and count how many different
ones live on your box).

All this about the executable bit is nice, but when my cron job (that
sets, runs, and unsets the 'x' bit on my trojan that you missed because
you forgot to run find in the /dev directory, let alone check the crontabs)
opens up a connection to my anonymous Yahoo account and mails me *your*
changes, I will know more than you do about your box. And if I rootkitted
you (which was the original thread) only a bootable CD (@stake, offmyserver
and lnx-bbc.org are three that I personally use) will give you tools that
*can* be trusted to determine just how rotten the box truly has been made.

People, r00t3d means "rebuild the box from known good media". Lazy people
(and I have had many, many instances of this in my personal experience)
who try and "patch the box" get 0wn3d again (and again...). Plow that box!

G

On or about 2003.12.22 16:00:50 +0000, Brian Eckman (eckman@umn.edu) said:

> It always will depend on the situation. Is throwing away a few million 
> transactions acceptable, when it might take a couple of hours or less to 
> compare the Oracle user list against a known good list? Should you 
> scrutinize each of those millions of transactions that occured between 
> compromise and detection to make sure each and every one of them are 
> legit? If doing so costs more than it is worth (define as you wish), it 
> won't happen, and shouldn't.

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@gilliss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html