How to deal with a rooted machine (was Re: [plug] Tonights meeting)

Peter Wright pete at akira.apana.org.au
Mon Jun 24 11:22:03 WST 2002 

On Mon, Jun 24, 2002 at 11:04:10AM +0800, Anthony J. Breeds-Taurima wrote:
> On Mon, 24 Jun 2002, Peter Wright wrote:
[ snip ]
> > Well, would anyone with some network security knowledge be
> > interested in having a look at a cracked machine? :-)
> 
> I'd love to BUT I don't think that a PLUG meet is the right place to
> do it.  Not really an environment conducive to thought.

An environment conducive to much pointed amusement, though.

"Heh, you had _that_ running, and you lasted >1 days? Wow!" :)

> I'd suggest you: boot from CD mount all the  rooted filesystems as
> /mnt/r_1 /mnt/r_2 etc etc mount NFS some disk with lots of room then
> dump (with dd) all you're rooted fs's to the vastness of NFS :)
> Burn to CD
> then rebuild the machine
> Then you have a perminant record and you could give me a copy :)

Unfortunately, I don't have a CD burner - but aside from the CD-burning,
that's pretty much what I was going to do. The machine in question can't
boot from CD (and doesn't have a CD drive anyway), so I was just going to
rip out the compromised hard disk and mount (ro nosuid noexec) on
another machine when I have some time to perform a detailed analysis.

Actually, I could bring the hard disk in to my workplace and make use of
the CD burner from there... hmm... although that would involve my
workmates laughing at me even more... :)

Anyone else interested in getting a CD copy of the compromised
filesystem(s) if I can make one? The disk in question is less than a
gig, so it should easily fit on a single CD.

BTW, the rootkit was thoughtfully located in /usr/include/net/.net -
shows someone, possibly the script kiddie, had a sense of humour. :)

> Skipping the pointers on how to setup a box, and lectures on
> culpability.

Yesss..... *roll of eyes*

> Yours Tony

Pete the Careless Git.
-- 
http://akira.apana.org.au/~pete/
Klingon programmer sayings:
1. "Our users will know fear and cower before our software. Ship
it! Ship it and let them flee like the dogs they are!"

More information about the plug mailing list