[Gllug] My firewall is rooted

Richard Cottrill richard_c at tpg.com.au
Mon Jul 15 11:35:29 UTC 2002


My 2c.

Boot from a known-good root/boot disc (floppy I suppose if such a thing
exists for BSD), copy the essential files (text only) to another disc and
reinstall from scratch. While waiting for the installation to complete read
all of the files you pulled off and try to find anything that looks a bit
suss. Then copy the (possibly edited) configuration files back to the new
machine.

If BSD has a really good auditing tool for just such occasions then you
might be able to use another root/boot disc to audit and clean the machine
without re-installation. This gives you more opportunity for forensics and
other high-jinks. Oh, and it could save a lot of pissing about.

Richard

> -----Original Message-----
> From: gllug-admin at linux.co.uk [mailto:gllug-admin at linux.co.uk]On Behalf
> Of Stephen Harker
> Sent: Monday, July 15, 2002 12:20 PM
> To: gllug at linux.co.uk
> Subject: [Gllug] My firewall is rooted
>
>
> OK. So I ssh into the firewall (first time in a week or so) to
> discover loads
> of running processes ./a and a new user in my password file
> called dave. So
> out he goes and shutdown all the processes. Passwd file was locked so I
> removed /etc/ptmp and removed the dave entry. (BTW this is an OpenBSD box)
> Rebooted the machine. First mistake.
> Now my root password doesn't work any more. SO. Do I want to even bother
> fixing this machine up or shall I just rescue my pf and nat
> rules, wipe the
> box and start again? Will there be a load of backdoors and other
> nasties on
> there now?
> Steve
> --
> Stephen Harker
> steve at pauken.co.uk
>
> "The sooner we fall behind, the longer we have to catch up!"
>
>
> --
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list