Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.os.linux.security > #225

Re: Security breach?

From GangGreene <GangGreene@example.com>
Newsgroups comp.os.linux.security
Subject Re: Security breach?
Date 2013-01-13 16:14 -0500
Organization A noiseless patient Spider
Message-ID <plkbs9-oad.ln1@crazy-horse.bildanet.com> (permalink)
References (14 earlier) <slrnkf5ieu.kia.BitTwister@wb.home.test> <gd1bs9-ctc.ln1@crazy-horse.bildanet.com> <zvKdnZ1Tgcu9cG_NnZ2dnUVZ_tSdnZ2d@posted.lerostechnologies> <d89bs9-m3d.ln1@crazy-horse.bildanet.com> <%YEIs.22142$EO2.21075@newsfe04.iad>

Show all headers | View raw

On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

> On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
>> On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:
>>
>>> On 01/13/2013 10:45 AM, GangGreene wrote:
>>>> On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:
>>>>
>>>>> On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
>>>>>> On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:
>>>>>>
>>>>>>> On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:
>>>>>>>
>>>>>>>> this case. Now I will install tripwire and rkhunter while clean
>>>>>>>> to further protect against these attacks.
>>>>>>>
>>>>>>> I tried tripwire awhile back. A bit complicated for me. That is
>>>>>>> why I went with http://sourceforge.net/projects/aide
>>>>>>
>>>>>> If you are using a rpm based distro then rpm -V -a is your friend.
>>>>>
>>>>> But not your best friend.  8-)
>>>>>
>>>>> It will not tell you about any new applications installed by some
>>>>> other method.
>>>>>
>>>>> What if the cracker used rpm to install malware?  :-(
>>>>
>>>> It will show if any installed file has changed from the original rpm
>>>> file (s).  From that information you will know what "system files"
>>>> have been compromised.  Then you can determine if a rootkit has been
>>>> installed.
>>> 
>>> Not if "the original rpm file(s)" were installed by the cracker, using
>>> rpm.
>>
>> Oh please
>>
>> I don't wear a tin foil hats like you do.
>> Isn't it a stretch that a cracker would breakin, upload some rpm files,
>> install them, then burn a dvd with the new rpms and the offer to give
>> you the dvd at no charge?
>> If you would accept that dvd you shouldn't be offering services on the
>> internet in the first place.
> 
> What are you talking about? What is this about and offer to burn a dvd?
> He has installed the files via rpm. rpm -Va will say that those files he
> installed are perfectly valid files.  No need for a DVD.
> 
> 

rpm in this form will validate against the install rem db which could 
have been altered.  If you use a dvd that has all the installed packages 
that is not subject to being altered so you get a good picture of what 
has been altered.

Also just checking the package signing would reveal tampered rpm packages.

> 
>>
>>>> If you find compromised system files then you know that you must
>>>> format and re-install with out a doubt.  At this time I would not
>>>> care what other files have been installed.
>>> 
>>> You swing from one extreme (ignore that crackers can use rpm) to the
>>> other (any compromised system files means you must format and
>>> re-install with out a doubt).  I favor the format/re-install, but
>>> after an attempt to track down what was actually done, to aid in
>>> future defense if nothing else.
>>
>> No I am not going to go farther after knowing that system files are
>> compromised.  That is enough for me to format and re-install.
> 
> Assuming you actually know that the change was not intentional. For
> example, /etc/passwd is a system file. rpm -Va will tell you it has
> changed. Do you reinstall? If you did you would spend all your time
> reinstalling.

I gave you the benefit of using your brain, are you saying that I should 
not have?


> And if the cracker came in via say the Java 7 breakin, would you keep
> rinstalling the same broken java?
> 
> 
>>

No I would install a more easily cracked version, again use your brain.


If you have the education of a two year old you should not be running 
services on the web.

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Security breach? Ohmster <root@dev.nul> - 2013-01-10 23:29 -0600
  Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 05:59 +0000
    Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 06:10 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:45 -0600
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:44 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:06 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:26 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:45 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:24 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 19:34 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 02:16 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 21:04 -0600
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 05:44 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:29 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 03:01 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 07:24 -0500
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-13 14:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 10:45 -0500
                Re: Security breach? Jim Beard <jdbeard@patriot.net> - 2013-01-13 12:21 -0500
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 12:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:40 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-13 16:14 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 23:51 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 09:59 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 17:39 +0000
                Re: Security breach? GangGreene <GangGreene@example.com> - 2013-01-14 16:16 -0500
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-14 21:48 +0000
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-13 20:35 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:05 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:26 +0000
      Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 03:10 -0600
        Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-11 11:31 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:53 -0600
            Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:05 +0100
              Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:14 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:47 -0600
                Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:26 +0000
                Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-12 09:23 +0000
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:31 -0600
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-12 16:36 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-13 14:45 +0100
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:39 -0600
            Re: Security breach? Bit Twister <BitTwister@mouse-potato.com> - 2013-01-12 00:08 +0000
        Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 20:50 +0000
          Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:19 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-11 22:30 +0000
              Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:49 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:36 -0600
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:52 -0600
  Re: Security breach? "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2013-01-11 03:10 -0500
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 02:39 -0600
  Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 10:53 +0000
    Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:12 -0600
      Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 22:53 +0100
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 15:57 -0600
          Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:29 +0100
            Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 16:55 -0600
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-11 23:59 +0100
                Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:07 -0600
                Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 00:24 +0100
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 17:48 -0600
                Re: Security breach? `blindshell' ...INFECTED (PORTS: 465) Ohmster <root@dev.nul> - 2013-01-11 18:07 -0600
            Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 00:16 +0000
              Re: Security breach? Aragorn <stryder@telenet.be.invalid> - 2013-01-12 12:13 +0100
                Re: Security breach? unruh <unruh@invalid.ca> - 2013-01-12 18:30 +0000
      Re: Security breach? Richard Kettlewell <rjk@greenend.org.uk> - 2013-01-11 22:07 +0000
        Re: Security breach? Ohmster <root@dev.nul> - 2013-01-11 17:22 -0600

csiph-web