ShareWiz Ultra Secure Server Setup
Recovery Toolkit
Recovery Toolkit
Synopsis
It is highly recommended to have a recovery toolkit.
This toolkit can help not only for recovery of a broken system, but also to peform security audits and forensic analysis.
This toolkit is constituted by a set of static-linked binaries (grep,w,netstat,ls,nc,strace,ps ... etc).
Why a Recovery Toolkit
If an attacker has gained superuser access into the system, they could have installed malware iike a trojan or a rootkit. Therefore you cannot trust anything on your system. The su or login binaries could have been replaced by the attacker's own tool to grab your passwords. Other trojan can directly attack shared library meaning that even newly compiled code may be dangerous.
The other use of this toolkit is to "repair after an accident". A single wrong command is enough to damage important binaries or shared libraries (for example a rm -r on the wrong folder...).
This toolkit must be mounted on a read-only file-system and could be used by rootkit hunting tools such as chkrootkit.
It is also important to notice this toolkit is constituted of statically linked binaries. We cannot rely on the system shared libraries if the system is corrupted.
The total size of the binaries + sources is about 500 Mo. The binaries size alone is less then 50 Mo.
Build the Toolkit
Issue the following command:
sudo mkdir -p /sharewiz/toolkit/src
sudo mkdir -p /sharewiz/toolkit/bin
Install the dpkg development package
Issue the following command:
sudo aptitude install dpkg-dev
The dpkg dev package is required to build static binaries.
Install the core binaries
Issue the following command:
cd /sharewiz/toolkit/src
sudo apt-get source coreutils
cd /sharewiz/toolkit/src/coreutils-x.x # replace x by the package version
sudo ./configure
sudo make CC="gcc -static -std=gnu99 -pthread"
If the compile fails displaying something like this:
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.6/crtbeginT.o: relocation R_X86_64_32 against `__DTOR_END__' can not be used when making a shared object; recompile with -fPIC
/usr/lib/gcc/x86_64-linux-gnu/4.6/crtbeginT.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make[3]: *** [libstdbuf.so] Error 1
make[3]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13'
make: *** [all] Error 2
...then fix by issuing the following commands:
cd /usr/lib/gcc/x86_64-linux-gnu/4.6
sudo cp crtbeginT.o crtbeginT.orig.o
sudo cp crtbeginS.o crtbeginT.o
cd /sharewiz/toolkit/src/coreutils-x.x # replace x by the package version
This fixes a known bug. See https://bugs.launchpad.net/ubuntu/+source/gcc-4.4/+bug/640734.
Also see https://bugzilla.redhat.com/show_bug.cgi?id=214465.
and try to recompile:
sudo make clean
sudo make CC="gcc -static -std=gnu99 -pthread"
Check that the compile finishes successfully.
Making all in .
make[4]: Entering directory `/sharewiz/toolkit/src/coreutils-8.13/gnulib-tests'
make[4]: Nothing to be done for `all-am'.
make[4]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13/gnulib-tests'
make[3]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13/gnulib-tests'
make[2]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13/gnulib-tests'
make[2]: Entering directory `/sharewiz/toolkit/src/coreutils-8.13'
make[2]: Nothing to be done for `all-am'.
make[2]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13'
make[1]: Leaving directory `/sharewiz/toolkit/src/coreutils-8.13'
If the compile still does not complete successfully, then ensure that the issue is resolved before continuing.
Copy the core binaries
sudo cp src/cat "../../bin"
sudo cp src/chmod "../../bin"
sudo cp src/chown "../../bin"
sudo cp src/cp "../../bin"
sudo cp src/cut "../../bin"
sudo cp src/dd "../../bin"
sudo cp src/df "../../bin"
sudo cp src/du "../../bin"
sudo cp src/echo "../../bin"
sudo cp src/head "../../bin"
sudo cp src/id "../../bin"
sudo cp src/ln "../../bin"
sudo cp src/ls "../../bin"
sudo cp src/md5sum "../../bin"
sudo cp src/mkdir "../../bin"
sudo cp src/mknod "../../bin"
sudo cp src/mv "../../bin"
sudo cp src/pwd "../../bin"
sudo cp src/readlink "../../bin"
sudo cp src/rm "../../bin"
sudo cp src/stat "../../bin"
sudo cp src/sha512sum "../../bin"
sudo cp src/su "../../bin"
sudo cp src/tail "../../bin"
sudo cp src/touch "../../bin"
sudo cp src/uname "../../bin"
sudo cp src/wc "../../bin"
sudo cp src/who "../../bin"
These are essentials but there are more in the src folder
Install the Proc binaries
Issue the following commands:
cd /sharewiz/toolkit/src
sudo aptitude install libncurses-dev # required to build top
sudo apt-get source procps
cd /sharewiz/toolkit/src/procps-xxx # replace xxxx by the package version
sudo make SHARED=0 CC='gcc -static'
cp "free" "../bin"
cp "kill" "../bin"
cp "ps/ps" "../bin"
cp "top" "../bin"
cp "uptime" "../bin"
cp "vmstat" "../bin"
cp "w" "../bin"
libncurses-dev is required to build top
Install the Net-Tools binaries
Issue the following commands:
apt-get source net-tools audit/src
cd audit/src/net-tools-xxx # replace xxxx by the package version
sed -i 's@default:@&\n break;@' lib/inet_sr.c
make config # Keep default config by answering [enter] to all prompts
sed -i 's|#define HAVE_AFX25 1|#define HAVE_HWX25 0|' config.h # you probably do not need X.25 protocol support
sed -i 's|#define HAVE_HWX25 1|#define HAVE_HWX25 0|' config.h
# We needed to change to 0 values for HAVE_AFX25 and HAVE_HWX25 so it will compile on ubuntu
# to avoid x25_sr.c:80: error: ‘x25_address’ undeclared (first use in this function)
# If someone has found a better way do not hesitate to comment this article!
make CC="gcc -static" ifconfig netstat arp route
cp "arp" "THYLACINE_OUTPUT_PATH/../bin" #
cp "ifconfig" "../bin"
cp "netstat" "../bin"
cp "route" "../bin"
Install the Gawk binaries
Issue the following commands:
apt-get source gawk audit/src
cd audit/src/gawk-xxx # replace xxxx by the package version
LDFLAGS="-static" sh ./configure # Static compiling is not always easy...
make LDFLAGS="-static"
cp "gawk" "../bin"
ln -s "../bin/gawk" "../bin/awk"
Install the Grep binaries
Issue the following commands:
apt-get source grep audit/src
cd audit/src/grep-xxx # replace xxxx by the package version
./configure
make CC="gcc -static"
cp "src/grep" "../bin"
cp "src/egrep" "../bin"
Install the losf binary
Issue the following commands:
apt-get source lsof audit/src
cd audit/src/lsof-xxx # replace xxxx by the package version
./Configure -n linux
make CC="gcc -static"
cp "lsof" "../bin"
Install the strace binary
Issue the following commands:
apt-get source strace audit/src
cd audit/src/strace-xxx # replace xxxx by the package version
./configure
make CC="gcc -static"
cp "strace" "../bin"
Install the sed binary
Issue the following commands:
apt-get source sed audit/src
cd audit/src/sed-xxx # replace xxxx by the package version
./configure
make CC="gcc -static"
cp "sed/sed" "../bin"
Install the netcat binary
Issue the following commands:
apt-get source netcat audit/src
cd audit/src/netcat-xxx # replace xxxx by the package version
sed -i 1i"#include \"resolv.h\"" netcat.c # Why is it always so difficult to compile source code...
make linux
cp "nc" "../bin"
Install the binutils binaries
Issue the following commands:
apt-get source binutils audit/src
cd audit/src/binutils-xxx # replace xxxx by the package version
./configure
make LDFLAGS="-all-static" &> make.log # CC="gcc -static" does not work here
cp "binutils/strings" "../bin"
# more binaries in there, pick the ones you want
Install the findutils binaries
Issue the following commands:
apt-get source findutils audit/src
cd audit/src/findutils-xxx # replace xxxx by the package version
./configure
make CC="gcc -static"
cp "find/find" "../bin"
cp "locate/locate" "../bin"
cp "xargs/xargs" "../bin"
Verify the binaries are static
Issue the following commands:
sudo ldd /sharewiz/toolkit/bin/*
This should report that all tools aren’t dynamic binaries.
Completion
Issue the following commands:
apt-get source findutils audit/src
cd audit/src/findutils-xxx # replace xxxx by the package version
./configure
make CC="gcc -static"
cp "find/find" "../bin"
cp "locate/locate" "../bin"
cp "xargs/xargs" "../bin"