[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031222221602.GB29691@mordor.angband.thangorodrim.de>
From: als at thangorodrim.de (Alexander Schreiber)
Subject: Removing ShKit Root Kit
On Mon, Dec 22, 2003 at 01:52:57PM -0600, Schmehl, Paul L wrote:
> > -----Original Message-----
> > From: full-disclosure-admin@...ts.netsys.com
> > [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of
> > Alexander Schreiber
> > Sent: Monday, December 22, 2003 12:24 AM
> > To: Chris
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
> >
> > There is exactly one way to properly clean up a rooted box:
> > backup the system (for later analysis and for keeping any
> > data that might be needed), wipe the disks and reinstall from
> > known clean install media, update the system to get all
> > current security updates und properly secure the box.
> >
> This advice is common, and it's always mystified me. Why would you want
> backups of the "data"? If the box is compromised, you can't trust
> *anything* on it, can you? How can you know for certain that "data"
> isn't a cleverly concealed backdoor?
>
> I can understand backing up the disk for offline analysis, but I would
> think you'd want to restore your data from known good copies, wouldn't
> you? And if you don't have known good data backups, well, then consider
> it a lesson learned and do it right the next time.
Keeping a backup of the data of the compromised box can be useful for
several purposes:
- Offline analysis: how did cracker get into the box and what did he do,
once he owned it?
- What data was on the box (unless deleted by the cracker) and must
therefore considered compromised?
- Maybe it needs to be kept as evidence (but then better follow proper
forensic data duplication procedures).
- If you don't have current backups of the data and the data was worth
keeping (most likely true) slap yourself silly with a wet towel
because you (or your management) have been stupid. Try to recover the
data from the box, but consider all of it well and truly mangled,
after all, if your secret source code was on this box, the cracker
might as well have hidden a nasty backdoor in there ...
Of course, restoring the data from known good backups is always better.
If you have proper backups, don't care for the analysis and just want to
have the machine back working, then just wipe, reinstall, secure, restore
and be done with it.
Regards,
Alex.
--
"Opportunity is missed by most people because it is dressed in overalls and
looks like work." -- Thomas A. Edison
Powered by blists - more mailing lists