what to do when you've been rooted

Eric Eisenhart eric at eisenhart.com
Sat Jan 20 18:15:15 PST 2001


On Sat, Jan 20, 2001 at 05:27:50PM -0800, Bob Blick wrote:
> I find my computer has been cracked, and a root kit has probably been
> installed.
> 
> It's running a redhat 6.2 system straigt off the cd. I know the hole was in
> wu-ftpd, but I need to know which packages I should reinstall to make sure
> I have cleaned out the files typically overwritten by a root kit.

Well, the safest thing to do is a complete re-install.

"rpm -Va" can be very useful...

You have to understand what the output means, though.

What it does is spit out a list of files that are different in some way than
what the RPM (package management) database says they should be.  Before
that, it puts some kind of information about what changed.

There are columns, a "." means it passed that specific test.

5 means the MD5 sum check failed (in other words, the actual contents of the
file changed)

S means the size of the file is different

L means it's a symlink now and didn't used to be or maybe vice-versa.

T means the "Modification Time" changed.

D means it's now a device and didn't used to be or that it used to be a
device and isn't now.

U means the user changed

G means the group changed

M means the mode (permissions) changed.

You have to look at *what* changed, also.  For instance, here's a snippet
from when I run it:

..5....T c /etc/xinetd.d/eklogin
..5....T c /etc/xinetd.d/gssftp
..5....T c /etc/xinetd.d/klogin
..5....T c /etc/xinetd.d/krb5-telnet
..5....T c /etc/xinetd.d/kshell
S.5....T   /usr/bin/dbfdump
S.5....T c /etc/syslog.conf
S.5....T c /etc/mailcap
..5....T c /etc/mime.types
S.5....T c /root/.bashrc

Those "c"s mean that RPM believes that's a configuration file.

So, when i'm reviewing this, I say to myself, "did I do that?".  I don't
remember actually modifying the stuff in /etc/xinetd.d/, but when I look at
one of them, it's something that "ntsysv" would have changed when I turned
it off.  I'm pretty sure I changed /etc/syslog.conf, /etc/mailcap,
/etc/mime.types and /root.bashrc.

/usr/bin/dbfdump changing (Size, MD5 and modtime) raises some red flags. 
"rpm -qif /usr/bin/dbfdump" reveals that it's part of the "perl-DBD-XBase"
package.  I recall updating the DBD::XBase module myself at one point, so
that's probably okay.

Problem with this is, it's possible that somebody might have installed a
rootkit that also changed the RPM database or the RPM program or the kernel
to see things as being as they still should be.
 
> Any links? I remember visiting a great site that was easy to understand and
> pretty much just told what packages were likely targets. Unfortunately now
> that I need it, I can't find it.

Unfortunately, I can't recall any links offhand...

What's on the machine that you want to keep?  If nothing, just reinstall. 
If just a few data files, back those up someplace else and then reinstall.
If it's a massive amount of unique data, software, configuration, etc. then
you're in for a difficult time.

However, if you have space to back up /etc, /home and /usr/local someplace
else, and you followed the normal *nix directory conventions, you should be
okay to back that up (maybe boot off of a clean floppy), do a fresh install
and then move the essential (non-programs) stuff onto the new install.

> Be warned, everybody, if you have RH 6.2 on a machine, it is a prime
> target. The "Ramen Worm" got a lot of press recently and three days ago I
> got hit. Right now I took the machine off line until I fix it.

You *must* keep your machine up to date.  You should also shut down all
services that you're not actually using.

I reccomend a 5-step process:

1) ftp to updates.redhat.com or a mirror
   (ftp.freesoftware.com/pub/linux/redhat/updates), grab all the files for
   your system (noarch, i386, i586 and i686) into a directory for this
   purpose and then run "rpm -Fvh *.rpm".
2) Run "ntsysv" and turn off everything you don't actually use.  Maybe even
   uninstall the packages.
3) Go to https://listman.redhat.com/mailman/listinfo/redhat-watch-list and
   subscribe.
4) Run "up2date".
5) Wait a week and repeat step 4.  (in other words, run up2date about once a
   week)

Actually, I'd not heard of the Ramen worm until just now.  Redhat has a page
with a bit of info about it, though:
http://www.redhat.com/support/alerts/ramen_worm.html

Looks like the problem was with wu-ftpd, nfs or lprng...  If you'd either
had those services turned off (because you'd followed step 2 and weren't
using it) or had updated those packages back in July when the problems had
been found, you couldn't have been hit.


Really, though; it's easiest to do a fresh install.  If you can't do a fresh
install, it's fairly labor intensive and difficult to do the cleanup or even
to try and talk you through one.
-- 
    Eric Eisenhart   Freedom is slavery.      http://eric.eisenhart.com/
 ^  ICQ#: 48217244   Ignorance is strength.   eric-dot-sig at eisenhart.com
/e\ Perl&SQL Coder   War is peace.            IRC Nicks: Falsch Freiheit
---                        -- George Orwell



More information about the talk mailing list