[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ls strangeness

On Fri, Aug 16, 2002 at 06:16:05PM +0200, Johan SANCHEZ wrote:

> i m  perplex ansd anxious on  solaris when a cracker  had broken
> the security the  first binary he hacks is  ls fortunately there
> are to ls binaries on solaris  (the sysv one /bin/ls and the bsd
> one /usr/ucb/ls)  so we can know  easily if the binary  has been
> hacked or not (they always hack the  sysV one :D) But now how to
> be sure my firewall hasn't been compromised ?

First,  your  version  of  ls is  working  exactly  as  advertised
(i.e., RTFM).

If you think your firewall  may have been compromised, here's what
you should do:

Start by analyzing your potential vulnerability. Was it running an
unpatched  sshd  for any  significant  period  of time  after  the
vulnerability  was discovered? Are  you crazy  enough to  run some
other service on the computer,  and is that vulnerable? A portscan
(against all interfaces) will tell you what is running on the box,
if you're not sure you can trust the output of netstat (1) and the

If there has been any  reasonable possibility for your firewall to
be compromised, then  back up your pf.conf, etc.,  files, wipe the
machine, install  -stable, and copy back  your configuration files
(after, of course,  inspecting them to be sure  that they're still
what you yourself created). This step will let you sleep at night.

Finally, implement  sane auditing, updating, backup,  and incident
response policies.

A really poor  man's auditing policy is to read  root's mail every
day;  a poor  man's auditing  policy might  be to  make copies  of
important  media onto  CD and  regularly run  cmp (1)  between the
versions on CD and the firewall. Be sure to compile cmp statically
and  run it  from the  CD. Note  that this  is just  a very,  very
bare-bones  kind  of thing  to  do;  the  Right Way  includes  log
analysis tools, mtree (8), and lots more.

An updating policy is simple:  monitor /errata.html and follow the

A poor man's  backup policy for a firewall would  be a printout of
pf.conf (etc.) and a copy on  three or more floppies (floppies are
notoriously unreliable) or a CD. Better is something like dump (8)
or tar (1).

A  poor  man's  incident  response  policy  is  what  I  described
above: wipe  and re-install. Really,  though, it should  include a
post-mortem to discover what went worng with an eye to prosecution
and prevention.

The ultimate goal in all of  this is a good night's sleep. Many of
them, preferably. If you  can't sleep at night,  your policies are

It's also worth noting that many people have different definitions
of a  ``firewall.'' If yours includes  anything other than  pf and
maybe sshd, you're  asking for trouble. Get a $50  computer with a
couple NICs for your real firewall and put it in front of whatever
other things you think belong on a firewall.

Good luck,


Ben Goren

[demime 0.98d removed an attachment of type application/pgp-signature]