0

I'm sure my SLES-11-SP3-Servers were open to the shellshock-security-vulnerability for a few days, since I wasn't able to patch them for that time as the patch-server in our intranet was broken down. :-(

Now I'm looking for a way to check the installed packages for modifications in order to determine if the servers have been compromised. If that's the way to go?

Thanks for any tipps coming my way. Kate

Katharina Wolkwitz
  • 1
  • You can't. If you've got any hint that your servers may have been compromised, you have to disconnect them from the net, wipe the contents, reinstall from backups, patch, reboot, test, and get back online. – Deer Hunter Oct 06 '14 at 11:10
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Deer Hunter Oct 06 '14 at 11:10

1 Answers1

0

Unfortunately that is not a reliable check.
A smart attacker will not change files owned by packages, but install them elsewhere.
You would need to check all files (with something like tripwire) -- but that is now impossible since you don't have a good reference point.

Of course it is possible to verify the package file status via RPM like so: 

rpm -V bash

That will show you if there have been any modification to files owned by this package.
But like I said, this shouldn't be taken as a indication that the server has not been compromised.

This check is only useful if it tells you that you actually have been compromised.
The other way around cannot be trusted for the reason above, and because the rpm binary could have already been tempered with.

faker
  • 17,326
  • 2
  • 60
  • 69