Steve Edwards wrote: > On Thu, 22 Jan 2009, Wilton Helm wrote: > > >> If some of your directories like /home and /user have separate mount >> points, they don't have to get wiped out in the process. >> > > If there is any reason to suspect a hack, re-installation is the only way. > I would replace the suspect drive and do a fresh install on a fresh drive. > If you can bring it up to current patch level before exposing it to the > 'net, all the better. > > Having the suspect drive available to crib configuration details from will > come in handy. Just mount it read-only on a non-executable mount point. > > After a hack, no executable or configuration file can be trusted and all > data is suspect so even if /home and /us[e]r are not clobbered, they > cannot be trusted. > > Thanks in advance, > ------------------------------------------------------------------------ > Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST > Newline Fax: +1-760-731-3000 > > _______________________________________________ >
Have to agree with Steve there. While a majority of hacks are just script kiddies using the vulnerability du jour, some are quite expertly done. I'd a friend in college who hacked into the university's main servers and spent a lot of time replacing system binaries with his own that he'd tailored to have the same byte count and same overall properties (with hidden extra switches here and there) so they wouldn't be readily noticed. This was WAAAY back in the day before things like tripwire and the like, but a careful hacker can become next to undetectable. The only SURE solution is to wipe the drive and start fresh, making sure to patch any holes through which the hacker might have come while you're doing a new install. N. _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users