Linux Journal: Thwarting the System Cracker, Part 5Oct 23, 1999, 18:55 (1 Talkback[s])
(Other stories by Marcel Gagné)
"After last week's article, I received a few panicked e-mails telling me that after using the RPM trick, files like "netstat" and "ls" had actually been modified. The question that followed was fairly obvious: "What now?"
"You have a fair number of options. Depending on the importance of the system, I will usually recommend taking a backup of the user directories, password and other critical system files, and rebuild the system without these files, using the backup as a reference for the new system. I won't just copy those files back. Our cracker may have hidden things in legitimate places and we don't want to let him back in quite that easily."
"You can also leave the system alone, tie down the host access with TCP wrappers, shutting down non-essential services, and replacing affected packages. Starting clean is important, but we don't always have that luxury -- not immediately anyway. If you discover that your "procps" or "net-tools" package has been modified by a cracker, the first thing to do is to reinstall the package. Since that package may have been the hole through which your cracker entered, it is usually a good idea to get the latest build from your vendor (RedHat, Caldera, Debian, etc). For the truly paranoid, the fact is that once a cracker has access to your system, they can replace anything, including the very files we use to track down the damage. Like the Shaolin priests in the old TV series, "Kung-Fu", the cracker succeeds by being invisible."