also sprach Angus D Madden <[EMAIL PROTECTED]> [2002.01.11.0649 +0100]: > agreed. full disk format and reinstall from backup is the only secure > option. unless you are running something like tripwire there is no way > to tell what the intruder did, and even then ...
... if, only if, you have the tripwire binary and database securely stored away on read-only media, and it's current. then you can use it to verify that no files have changed, and no rootkit was installed. however, i did post-mortem analyze a machine once where the actual kernel had been modified so as to mess with file reads in such a way that the installed root kit wasn't even detected by tripwire! so be careful. has the machine been up since the break-in? was it restarted then? -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck "in the stage of grand illusion you walked into my life out of my dreams." -- david bowie
msg05137/pgp00000.pgp
Description: PGP signature