“After last week’s article, I received a few panicked
e-mails telling me that after using the RPM trick, files like
“netstat” and “ls” had actually been modified. The question that
followed was fairly obvious: “What now?“
“You have a fair number of options. Depending on the importance
of the system, I will usually recommend taking a backup of the user
directories, password and other critical system files, and rebuild
the system without these files, using the backup as a reference for
the new system. I won’t just copy those files back. Our cracker may
have hidden things in legitimate places and we don’t want to let
him back in quite that easily.”
“You can also leave the system alone, tie down the host access
with TCP wrappers, shutting down non-essential services, and
replacing affected packages. Starting clean is important, but we
don’t always have that luxury — not immediately anyway. If you
discover that your “procps” or “net-tools” package has been
modified by a cracker, the first thing to do is to reinstall the
package. Since that package may have been the hole through which
your cracker entered, it is usually a good idea to get the latest
build from your vendor (RedHat, Caldera, Debian, etc). For the
truly paranoid, the fact is that once a cracker has access to your
system, they can replace anything, including the very files we use
to track down the damage. Like the Shaolin priests in the old TV
series, “Kung-Fu”, the cracker succeeds by being invisible.”