Re: [Full-Disclosure] Removing ShKit Root Kit

[Brian Eckman <eckman@umn.edu>]

Larry W. Cashdollar wrote:
> On Mon, 22 Dec 2003, Brian Eckman wrote:
>
>
> > Schmehl, Paul L wrote:
>
>
> > Hmmm. Well, if the execute bit isn't set, then I'd assume it can be
> > considered relatively safe. If the attacker can later find a way to
> > chmod it and then execute it with the privliges needed to make it
> > harmful, then I imagine that they could find other ways of compromising
> > your machine as well.
>
>
> The attacker could have also added a new user to your oracle database, so
> I see where Paul is coming from.   Restoring actual data from a known good
> copy is a better idea. I suspect that most people keep a backup copy
> (raw dd) of a compromised system for the feds and a copy for themselves to
> explore.  Other than that nothing can be trusted from the compromised
> system.
> -- Larry C$

It always will depend on the situation. Is throwing away a few million 
transactions acceptible, when it might take a couple of hours or less to 
compare the Oracle user list against a known good list? Should you 
scrutinize each of those millions of transactions that occured between 
compromise and detection to make sure each and every one of them are 
legit? If doing so costs more than it is worth (define as you wish), it 
won't happen, and shouldn't.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html