-- Perrin Harkins <[EMAIL PROTECTED]> on 03/21/02 17:07:27 -0500
> darren chamberlain wrote:
>> Another alternative is to replace it with something that appears
>> to do the same thing, but actually logs a ton of stuff from the
>> requestor.
>
> You can't trust any part of compromised box, right down to the 'ls' command.
> Once you know someone has been able to run arbitrary commands on your
> machine, they could have installed ANYTHING. They might have a rootkit, they
> might have replaced your ssh binary with something that mails passwords to
> them, they might be using your box as part of a DoS attack on someone else's
> site, they might be on your box running as root *right now*. You don't even
> know how they got on the box in the first place. Disconnect it.
You can usually trust read only media (e.g., CDR's placed
in a cdrom drive or mechanically write-locked floppy or
mio discs). Booting a "rescue" cd or one you've burned
after the insatll and before putting the box on line can
allow you to check what's going on and at least back up the
more useful portions of the system config files. You might
also want to use rescue-cd util's to back up the logs and
apache directories to try and track the schmuck to cracked
you.
Point is that even if you cannot trust anything at all
on your hard drives at this point you can still analyze
what's there and recover at least some of it.
enjoi.
--
Steven Lembark 2930 W. Palmer
Workhorse Computing Chicago, IL 60647
+1 800 762 1582
