Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!eternal-september.org!feeder.eternal-september.org!mx04.eternal-september.org!.POSTED!not-for-mail
From: GangGreene <GangGreene@example.com>
Newsgroups: comp.os.linux.security
Subject: Re: Security breach?
Date: Sun, 13 Jan 2013 16:14:01 -0500
Organization: A noiseless patient Spider
Lines: 93
Message-ID: <plkbs9-oad.ln1@crazy-horse.bildanet.com>
References: <XnsA145508078CBMyBigKitty@216.196.97.131> <slrnkevaie.4qm.BitTwister@wb.home.test> <i1OHs.32904$3S5.11697@newsfe18.iad> <XnsA14526347AB67MyBigKitty@216.196.97.131> <2R_Hs.22037$532.962@newsfe03.iad> <XnsA145B4AF1B265MyBigKitty@216.196.97.131> <L22Is.64415$LS5.15558@newsfe10.iad> <XnsA145D152BCD6MyBigKitty@216.196.97.131> <QH3Is.24294$tK1.12909@newsfe07.iad> <XnsA145E07E53ACCMyBigKitty@216.196.97.131> <iL6Is.20389$KS4.4121@newsfe11.iad> <XnsA146B1F1F1686MyBigKitty@216.196.97.131> <slrnkf48sj.rpi.BitTwister@wb.home.test> <hklas9-okc.ln1@crazy-horse.bildanet.com> <slrnkf5ieu.kia.BitTwister@wb.home.test> <gd1bs9-ctc.ln1@crazy-horse.bildanet.com> <zvKdnZ1Tgcu9cG_NnZ2dnUVZ_tSdnZ2d@posted.lerostechnologies> <d89bs9-m3d.ln1@crazy-horse.bildanet.com> <%YEIs.22142$EO2.21075@newsfe04.iad>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Info: mx04.eternal-september.org; posting-host="0e16daac4e0b43d62bbb53f219b58d58"; logging-data="2426"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18hJZTAyyQo+oQqcbRpEM7slm+8U4YofHA="
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2)
Cancel-Lock: sha1:2s2aMU6t3UNd5Srlxa6uLikUAXk=
Xref: csiph.com comp.os.linux.security:225

On Sun, 13 Jan 2013 20:40:27 +0000, unruh wrote:

> On 2013-01-13, GangGreene <GangGreene@example.com> wrote:
>> On Sun, 13 Jan 2013 12:21:35 -0500, Jim Beard wrote:
>>
>>> On 01/13/2013 10:45 AM, GangGreene wrote:
>>>> On Sun, 13 Jan 2013 14:51:10 +0000, Bit Twister wrote:
>>>>
>>>>> On Sun, 13 Jan 2013 07:24:17 -0500, GangGreene wrote:
>>>>>> On Sun, 13 Jan 2013 03:01:39 +0000, Bit Twister wrote:
>>>>>>
>>>>>>> On Sat, 12 Jan 2013 16:29:53 -0600, Ohmster wrote:
>>>>>>>
>>>>>>>> this case. Now I will install tripwire and rkhunter while clean
>>>>>>>> to further protect against these attacks.
>>>>>>>
>>>>>>> I tried tripwire awhile back. A bit complicated for me. That is
>>>>>>> why I went with http://sourceforge.net/projects/aide
>>>>>>
>>>>>> If you are using a rpm based distro then rpm -V -a is your friend.
>>>>>
>>>>> But not your best friend.  8-)
>>>>>
>>>>> It will not tell you about any new applications installed by some
>>>>> other method.
>>>>>
>>>>> What if the cracker used rpm to install malware?  :-(
>>>>
>>>> It will show if any installed file has changed from the original rpm
>>>> file (s).  From that information you will know what "system files"
>>>> have been compromised.  Then you can determine if a rootkit has been
>>>> installed.
>>> 
>>> Not if "the original rpm file(s)" were installed by the cracker, using
>>> rpm.
>>
>> Oh please
>>
>> I don't wear a tin foil hats like you do.
>> Isn't it a stretch that a cracker would breakin, upload some rpm files,
>> install them, then burn a dvd with the new rpms and the offer to give
>> you the dvd at no charge?
>> If you would accept that dvd you shouldn't be offering services on the
>> internet in the first place.
> 
> What are you talking about? What is this about and offer to burn a dvd?
> He has installed the files via rpm. rpm -Va will say that those files he
> installed are perfectly valid files.  No need for a DVD.
> 
> 

rpm in this form will validate against the install rem db which could 
have been altered.  If you use a dvd that has all the installed packages 
that is not subject to being altered so you get a good picture of what 
has been altered.

Also just checking the package signing would reveal tampered rpm packages.

> 
>>
>>>> If you find compromised system files then you know that you must
>>>> format and re-install with out a doubt.  At this time I would not
>>>> care what other files have been installed.
>>> 
>>> You swing from one extreme (ignore that crackers can use rpm) to the
>>> other (any compromised system files means you must format and
>>> re-install with out a doubt).  I favor the format/re-install, but
>>> after an attempt to track down what was actually done, to aid in
>>> future defense if nothing else.
>>
>> No I am not going to go farther after knowing that system files are
>> compromised.  That is enough for me to format and re-install.
> 
> Assuming you actually know that the change was not intentional. For
> example, /etc/passwd is a system file. rpm -Va will tell you it has
> changed. Do you reinstall? If you did you would spend all your time
> reinstalling.

I gave you the benefit of using your brain, are you saying that I should 
not have?


> And if the cracker came in via say the Java 7 breakin, would you keep
> rinstalling the same broken java?
> 
> 
>>

No I would install a more easily cracked version, again use your brain.


If you have the education of a two year old you should not be running 
services on the web.