> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Alexander Schreiber > Sent: Monday, December 22, 2003 12:24 AM > To: Chris > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Removing ShKit Root Kit > > There is exactly one way to properly clean up a rooted box: > backup the system (for later analysis and for keeping any > data that might be needed), wipe the disks and reinstall from > known clean install media, update the system to get all > current security updates und properly secure the box. > This advice is common, and it's always mystified me. Why would you want backups of the "data"? If the box is compromised, you can't trust *anything* on it, can you? How can you know for certain that "data" isn't a cleverly concealed backdoor?
I can understand backing up the disk for offline analysis, but I would think you'd want to restore your data from known good copies, wouldn't you? And if you don't have known good data backups, well, then consider it a lesson learned and do it right the next time. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html