From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Oiahn-0002Ma-L8 for garchives@archives.gentoo.org; Mon, 09 Aug 2010 22:20:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 780C7E0F8C; Mon, 9 Aug 2010 22:19:22 +0000 (UTC) Received: from mail-qw0-f53.google.com (mail-qw0-f53.google.com [209.85.216.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 5C1FFE0F8C for ; Mon, 9 Aug 2010 22:19:22 +0000 (UTC) Received: by qwb7 with SMTP id 7so7077926qwb.40 for ; Mon, 09 Aug 2010 15:19:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=yrHwEv+9ePL2wuqt8TN4yuZdrxjlcPkzocrFgOmxZ8A=; b=gXWkfqrpCBXFhhMD5f44Rp2VYhQ8BC5JwyQTYsSP8hlaokXbUPY9A2z4qbOQlSkvyM jppLNdRr2scY2zbZSEwU+S+WxBX4FgJ5T7Pt6CkiMxXC5TkJNqDP4cy/8C9St2/Iek2E D+uZNWT7la3OF0Es4MI0eVb8lhoeiBw8bgV/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=s+fbxrgVsgZaU3qnX4rN8l+5EnqFAdJHaDOBIWYkFNqmRcGyoxHLbF27LRgw6CprJO EIv6Sotb6RsdILsjc+c4ar7MyU+hUPqB15Wk2sBxvuPbqinXLr3VKkYoY/ihqCIytr6i 5zSPvgjJJbOZbUPrZd3VUADgD/EOS8z7F5LS8= Received: by 10.220.158.9 with SMTP id d9mr9954910vcx.110.1281392361939; Mon, 09 Aug 2010 15:19:21 -0700 (PDT) Received: from [192.168.1.2] (adsl-240-55-50.jan.bellsouth.net [74.240.55.50]) by mx.google.com with ESMTPS id w31sm2865280vbs.5.2010.08.09.15.19.20 (version=SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 15:19:21 -0700 (PDT) Message-ID: <4C607EE7.7080500@gmail.com> Date: Mon, 09 Aug 2010 17:19:19 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice References: <4C606441.8070201@gmail.com> <201008092222.40931.michaelkintzios@gmail.com> In-Reply-To: <201008092222.40931.michaelkintzios@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 8b8263bc-983f-4d63-83d5-83a460a35bd0 X-Archives-Hash: f9bfabe4a8ec10431177c50c04776953 Mick wrote: > On Monday 09 August 2010 21:25:37 Dale wrote: > >> Robert Bridge wrote: >> >>> On Mon, Aug 9, 2010 at 8:09 PM, Mick wrote: >>> >>>> There have been discussions on this list why sudo is a bad idea and sudo >>>> on *any* command is an even worse idea. You might as well be running >>>> everything as root, right? >>>> >>> sudo normally logs the command executed, and the account which >>> executes it, so while not relevant for single user systems, it STILL >>> has benefits over running as root. >>> >>> RobbieAB >>> >> I don't use sudo here but I assume a admin would only know that a nasty >> command has been ran well after it was ran? Basically, after the damage >> has been done, you can go look at the logs and see the mess some hacker >> left behind. For me, that isn't a whole lot of help. You still got >> hacked, you still got to reinstall and check to make sure anything you >> copy over is not infected. >> >> Assuming that they can erase dmesg, /var/log/messages and other log >> files, whose to say the sudo logs aren't deleted too? Then you still >> have no records to look at. >> >> I agree with the other posters tho, re-install from scratch and re-think >> your security setup. >> > That's the problem with any compromise worth its salt, all logs will be > tampered to clear traces of interfering with your system. Monitoring network > traffic from a healthy machine is a good way to establish suspicious activity > on the compromised box and it also helps checking for open ports (nmap, or > netcat) to find out what's happening to the compromised box. > > Yep, cause when they are in the system, they can do what they want. Once they get root privileges, nothing else matters after that. It's just a matter of the clean up which from what I have always read is a reinstall. It's not good to hear but it's the best way to know for sure you are safe. Me tho, I would start from scratch and not even chroot into the old install. I might mount and try to read a log file or copy my world file but that would be about it. I'm not sure I would trust anything else. I just hope this never happens to me. :/ Dale :-) :-)