Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Neil Long (neil.longCOMPUTING-SERVICES.OXFORD.AC.UK)
Date: Tue Jan 23 2001 - 11:37:00 CST
> > Matt, generally (well, actually 99.999% of the time), the rule is to
> > totally reformat whenever there has been a root level compromise.
> > Go to your old backups, restore from there. Have a stiff drink, for
> > that box is history.
> My rule #0 is get an image copy before doing your rule #1.
> Yes, trying to "clean up" is nearly futile, but properly handling
> the incident is important.
> > But for future reference, check the file attributes...
> One of the main reasons for doing my rule #0 is because you may not
> think of this until after you've already re-formatted, at which point
> its too late. There are lots of things you should check, including
> file attributes, but you won't remember them all, let alone do them
> all, in the three hour time window you might give yourself.
> I still suggest spending the extra hour or so to get an image copy
> first, which you can then come back to at a later date (even hand
> over to law enforcement if AFOSI calls you two years later and asks to
> see logs from the system -- this DOES happen.)
> > But I wouldn't spend any more time on that box. It's rooted.
> > Restore from backups. Take a look at Bastille and Tripwire for the
> > future!
> As a learning experience, there is a lot you can gain from spending
> more time analyzing it, provided you have the time and you want to
> learn. Bastille helps prevent future problems, and Tripwire (as long
> as you don't get an LKM installed) can help identify future problems,
> but you don't get "in the trenches" learning if you never leave
> the couch. (P.S. Some things that come back from backups you DON'T
> want on your system, so even this advice should have its caveats.)
> Dave Dittrich Computing & Communications
All good advice from Dave ;-) Just to add that any host which has been
broken via the Ramen worm is just as likely to have already been rootkitted
by one of the many other scanners which have been sweeping by /16 net block
for the past few months.
Pre-conceptions are often not a good starting point. Pull the disk and mount
it read-only or via an image is a much better.
The Ramen script makes little or no attempt to hide its activities - not so
for the others that have been going around.