On Fri, 27 Aug 2004, Carl Fink wrote:
> 1. Never use real words for your (non-trivial) passwords. passwd or pass phrase should be diffeent for each different purpose email passwd ... [EMAIL PROTECTED] for email ... ssh passwd ...... jsmith is the ssh login vpn passwd ... ppp passwd ... why bother protectng it ... its in the ppp script home acct passwd server passwds .. on and on .. > 2. If you're concerned that your box is rooted, get a known clean > Debian CD and reinstall, after preserving your personal data. if you reisntall ... and you dont know how they got in, you are still just as vulnerable as before unless you change at least "ONE" thing to be different than before ( even a different kernel or different style of passwds or something different .. or even better ... patch it to the latest version ) i'd never reinstall a "suspect box"... ( it'd be throwing away a ton of useful and helpful goldmine of info ) ... and do NOT reboot either .. - assuming that there's no major threat of other boxes or othe people's boxes outside your office/colo ... - i typically assume that the suspect box is "rm -rf'd" and try to get useful hacker data out of it: a) figure out who got in b) how they got in c) why they got in d) when they got in e) what they did to get in f) how long they been there g) what else did they do once they're in h) what files did they change or pretend or attempt to change i) how oten do they come in j) where do they come from k) what other sites have they broken into and coming from there l) what other sites are they attempting to break into m) ... on and on ... all of the above can take weeks/months ... xx) call the security guru at the "big teir-1 isp" (that cares about it) yy) call the fbi ... and log everything ... zz) call the fbi while the crackeer is in the box so they can trace all the packets back up the tree to the originating pc in somebodys bedroom or office c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]