On Freitag, 21. September 2007, Grant wrote: > > > Do I > > > need to start this thing over? > > > > yes. No tool can tell you for certain, that no malware is rampage on your > > system. netstat, ps, emerge might be hacked already. As might be md5sum > > and other tools to generate and compare ckecksums. There is only one way > > to make sure your system is clean: > > > > reinstallation > > Although I haven't found any evidence of intrusion, I've been urged > off-list to reinstall and since I'm about 4 hours early to rise this > morning I think I better.
If your intruder has at least some skills and don't want to leave evidence behind, you have nearly zero chance to find any signs. That is the evil part about being 'maybe hacked'. Even with the best tools you can only say 'the hacker must be good' and not 'there was no hacker'. > > Can we go over a good plan for the transition? My main concerns are > backing up the right files and a good remote installation procedure as > it's been years since I did that. Thanks. I would tar everything up and copy the files back you really want - after checking them. Stuff from /etc, like the files in /etc/conf.d, make.conf, the files in /etc/portage and other stuff you edited, the /home tree, your database and website files, if there are any. But don't copy anything back without having a look first. Your world-file might be helpfull to spare some time. /usr/portage stuff should be nuked completly - it is so easy to replace it is not worth the risk of a hacked ebuild ... Don't forget to mkfs the partitions first before you start reinstallation. About remote installation: never done that, hopefully someone else on the list can help you with that. -- [EMAIL PROTECTED] mailing list
