Linked by Thom Holwerda on Mon 17th Jul 2006 22:52 UTC, submitted by anonymous
Linux "Hopefully you never had to restore your own system from a compromise and you will not have to do this in the future. Working on several projects to restore a compromised Linux system for various clients, I have developed a set of rules that others might find useful in similar situations. The type of hacks encountered can be very variate and you might see very different ones than the one I will present, or I have seen live, but even so, this rules might be used as a starting point to develop your own recovery plan."
Permalink for comment 144049
To read all comments associated with this story, please click here.
Wiping the system...
by mbpark on Tue 18th Jul 2006 03:48 UTC
Member since:

If you can hook the kernel, Tripwire won't help you. That means you can mess with the file system drivers, and make the replaced files appear as they were, replete with hashes.

Think of how people get around this with Alternate File Streams in Windows.

Even if this is one of those simple PerlBot or PHPBot hacks, you wipe and reinstall.

If you want to investigate, get yourself a write-blocker and/or mount the filesystem from a live CD such as FIRE, off the network. Knoppix and its variants also work quite well.

For Windows, a Write Blocker and BartPE (the UBCD variant) work really well.

When you rebuild, you make double sure that you are only running what you need, with only the permissions it needs. Tools like GRSecurity, PAX, and SELinux are really good here.

Unfortunately, many LAMP/WAMP apps are guilty of excessive permissions on the app and database sides.

When you look at what you're running, always think of what is the absolute minimum you need to get it to run.

Also make sure that you're sanitizing all user input. Additionally, make sure you use parameterized database queries, and none of this dynamic SQL garbage ;) .

Password complexity is also a given, as is the use of SSH Keys where appropriate.

The best way to recover from a hack after reinstalling is to make sure that you are running the most up to date software, and that you've reviewed your app code to fix as many holes as possible. You also want to make sure that all your apps run with as few permissions as possible, and that you've taken all the precautions you can.

I see too many apps these days written in PHP that are easily exploited to turn machines into bots. Hopefully the author can add these suggestions to their toolkit.

Reply Score: 4