Results 1 to 9 of 9
  1. #1

    Root kits - replacing binarys

    Let's say a couple binarys have been infected. Will it temporarly fix the problem if I simply move a good version of the binary from the other machine over to the compromised server?
    Download my eBook + Videos: Starting your own successful web hosting company.
    Learn from a web host with 7 years of experience.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Well, when you get hacked, there are usually backdoors installed, binarys replaced, sometimes the kernel is bugged. Also sometimes binarys wont allow you to replace them. Just by replacing binarys you still could have multiple holes left in the box. I dont recommend it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Apr 2003
    Posts
    202
    Sure it could.
    LinuxFans.Org
    ------------------------------------------------------------------
    Magic Linux - No Dream Can't Be Fulfiled

  4. #4
    Greetings:

    We have worked with customers who replaced binaries; most of the time, for months afterwards they were fixing this problem and that problem or the hacker got back in.

    We always recommend wiping the drive(s), reinstalling the OS, reinstalling those applications which call for fresh installs, and restoring from a backup made prior to the hack.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  5. #5
    Join Date
    Mar 2003
    Location
    Rio de Janeiro - Brazil
    Posts
    291

    Re: Root kits - replacing binarys

    Originally posted by dbbrock1
    Let's say a couple binarys have been infected. Will it temporarly fix the problem if I simply move a good version of the binary from the other machine over to the compromised server?
    If you could be sure that those binaries were the only things that the intruder touched, there would be no problem if you just replaced them (of course, if you already closed the hole that the hacker used to get in, first place).

    Unfortunately, in 99% of the cases you can't know for sure what was touched, as logs and system files can be changed to mask that. So, if you have important data in the server, I'd recommend you a full restore.

  6. #6
    rpm is your friend here. Try rpm --all --verify and see what you get. This takes a LONG time but can tell you which binaries are non-standard.

    This doesn't work so well when you have other packages that hack on binaries on purpose (like cpanel, I think).

    You are going to get some errors like this:

    S.5....T c /etc/httpd/conf/httpd.conf

    but obviously the httpd.conf file was SUPPOSED to be modified. You'll have to weed through them all to verify everything.

  7. #7
    One more thing to add to this: this assumes the root kit doesn't install their own RPM. I haven't seen any RPM-based root kits (but that doesn't mean they don't exist).

  8. #8
    Join Date
    Feb 2004
    Location
    California
    Posts
    24
    Once youíre hacked, the system canít be trusted anymore. You canít rely on chkrootkit, MD5 hashes, binary sizes, etc. The best thing to do is reinstall from a backup, and even then you still might not be safe.

  9. #9
    Join Date
    Jun 2003
    Posts
    673
    Reinstall from the original media, get everything patched, and then copy the content (only) from the compromised server, after making sure that there are no setuid files in it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •