Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
(For me, it also had false positives apparently due to btrfs root, and rkhunter had a false positive due to "/sbin/hdparm -B 254 /dev/sda" on /etc/rc.local)
kernel.org status: hints on how to check your machine for intrusion
Posted Oct 1, 2011 4:49 UTC (Sat) by jcm (subscriber, #18262)
Posted Oct 1, 2011 12:59 UTC (Sat) by nix (subscriber, #2304)
Posted Oct 3, 2011 1:29 UTC (Mon) by drag (subscriber, #31333)
That sort of reality is why the advice given in the email is misleading and can actually make the problem worse.
If anybody suspects compromises then the ONLY way to be sure is to reinstall from scratch.
THAT IS THE ONLY WAY.
The stupid hat tricks like rpm database verify and chrootkit scripts are just mickey mouse stuff. If you are dealing with a guy that is lazy or a inexperienced script kiddy then they MAY, if your lucky, actually find something suspicious.
A word to the wise:
IF at any point you have suspicions about a system compromise do NOT follow the advice in that email.
choose all new passwords and JUST REINSTALL from scratch.
You are doing yourself a HUGE favour if you just do that. You will save yourself SOOOOO much time and effort that it's not even funny.
If you think that trying to track down a attacker and cleaning your system out is going to save you time you are utterly deluding yourself. You do not understand the scope of the problem you are facing.
If you want to play detective and try to track down the source of the compromise, then that is fine, but never trust that system image again. Just make a copy of the file system using DD or buy entirely new hard drives or something. Don't try to put it back into production.
on a side note:
The only reliable, and feasible (with budget and time constraints) way to recover a system that is compromised without reinstalling is for you to maintain a database of file system checksums on separate (preferably read-only) media that is generated from a separate offline system or live CD.
That is you must have doing this BEFORE HAND. You must of booted up on a live CD or stuck the drive into a machine that is not on any network and then generated a checksum of each and every file on the system BEFORE the time period you suspect your system was compromised.
Then to recover you boot your system up on a live cd (or whatever) and then compare the last known good sets of checksums against the current. When you find discrepancies you must go through and check every file that is not properly accounted for by the checksum compare.
If you do not have the time to do that, or you did not generate a known good set of checksums, then the safest and quickest way is to reinstall.
Posted Oct 3, 2011 8:36 UTC (Mon) by misiu_mp (guest, #41936)
Posted Oct 10, 2011 0:24 UTC (Mon) by jamesh (guest, #1159)
Posted Oct 4, 2011 11:40 UTC (Tue) by rwmj (subscriber, #5474)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds