[plug] Preempting meeting discussion

James Bromberger james at rcpt.to
Tue Oct 9 11:04:37 WST 2001


On Tue, Oct 09, 2001 at 09:26:05AM +0800, Harry McNally wrote:
> May I suggest a quick round up tonight of the recent plug damage ? In 
> particular, what tools and methods the recovery people used to determine 
> the vulnerability and check the machine was no longer compromised ? I'd be 
> interested .. if those that did the recovery are attending tonights 
> meeting.


I would suggest using debsums to do md5sums on the binaries; starting with 
an md5sum on the "debsums" executable, and comparing to a known 'good' 
box. Not all applications have md5sums in their packages; for those that 
don't, you could renistall all those package with known 'good' copies. 

Then you just have to check your /etc, /home, /var/www directories from 
your backups/tripwire logs.

Everyone with a Debian machine: play with debsums. Its very small, very 
simple, but can give you some useful information. The first step 
above through is very important; your copy of "debsums" may have been 
compromised, and thus return unreliable data.

-- 
 James Bromberger <james_AT_rcpt.to> www.james.rcpt.to

 Remainder moved to http://www.james.rcpt.to/james/sig.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20011009/17c8716d/attachment.pgp>


More information about the plug mailing list