| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Removing ShKit Root Kit "Schmehl, Paul L" to Alexander Schreiber: > > There is exactly one way to properly clean up a rooted box: > > backup the system (for later analysis and for keeping any > > data that might be needed), wipe the disks and reinstall from > > known clean install media, update the system to get all > > current security updates und properly secure the box. > > > This advice is common, and it's always mystified me. ... Me too... > ... Why would you want > backups of the "data"? If the box is compromised, you can't trust > *anything* on it, can you? How can you know for certain that "data" > isn't a cleverly concealed backdoor? ...though for a slightly different reason. > I can understand backing up the disk for offline analysis, ... I can't. These days drives are really cheap -- ludicrously cheap. You'll get a fifty to several hundred percent drive size increase for the same outlay as the initial drive cost depending on how long it is since the box was first built (unless it was brand new or you are talking about truly monster arrays where pricing is somewhat less mobile). If you _imagine_ that you might engage the labour/time/expertise expense of any kind of forensic activity, clone the drive or backup the data (for whatever your reasons, but I agree with Paul's comments about the sanity of trusting any data off the compromised box as a backup source for restoring a new live system), keep the original drive physically separated from any machine (except for any future needs to make further image copies, etc or to prove such a copy is a true likeness), install a new drive in the formerly compromised box, rebuild the system on the new drive, harden, etc, etc reconnect to the network. This is overkill if you do not have true forensic requirements, but often you will not know that for sure until you are part way through the analysis (for example, it turns out there is evidence that the compromise was likely done by a competitor to steal something valuable that was then "covered up" to look like a typical skiddie web server defacement). > ... but I would > think you'd want to restore your data from known good copies, wouldn't > you? And if you don't have known good data backups, well, then consider > it a lesson learned and do it right the next time. Yep... Regards, Nick FitzGerald
Powered by blists - more mailing lists