[plug] Preempting meeting discussion
James Bromberger
james at rcpt.to
Tue Oct 9 11:04:37 WST 2001
On Tue, Oct 09, 2001 at 09:26:05AM +0800, Harry McNally wrote:
> May I suggest a quick round up tonight of the recent plug damage ? In
> particular, what tools and methods the recovery people used to determine
> the vulnerability and check the machine was no longer compromised ? I'd be
> interested .. if those that did the recovery are attending tonights
> meeting.
I would suggest using debsums to do md5sums on the binaries; starting with
an md5sum on the "debsums" executable, and comparing to a known 'good'
box. Not all applications have md5sums in their packages; for those that
don't, you could renistall all those package with known 'good' copies.
Then you just have to check your /etc, /home, /var/www directories from
your backups/tripwire logs.
Everyone with a Debian machine: play with debsums. Its very small, very
simple, but can give you some useful information. The first step
above through is very important; your copy of "debsums" may have been
compromised, and thus return unreliable data.
--
James Bromberger <james_AT_rcpt.to> www.james.rcpt.to
Remainder moved to http://www.james.rcpt.to/james/sig.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20011009/17c8716d/attachment.pgp>
More information about the plug
mailing list