Thoughts on reinstalling vs. repairing a hacked system. True, if you've been hacked theoretically anything is possible. But I have noticed that our kind, computer geeks, have a mental disease of sorts - the inability to differentiate between probable and possible. Possibly because we see ways to turn the possible into reality with a few lines of code. We will spend a lot of time taking care of the possible with no regard as to how probable that is.
If you run a small site and you've been hacked, of course anything is possible, but what is most probable is that some automated bot exploited a known security weakness and created a nest for itself without changing your critical data except maybe inserting some malicious code into your live web application. They would not be so smart as to do anything that requires the specific knowledge of your application, such as modify your data tables in a way that would be of use to them and not obvious to you. Think something that is portable across sites, you are rarely important enough for a hand-crafted site-specific hack unless you are Google or Yahoo or somebody big. If you replace the system files and the application code (hope there is another copy of it somewhere) you are usually OK. Even when you do not have a backup for the application, load your main application page, debug the weird behavior, track it down, find/grep for the trouble in the tree, remove it manually and you are good to go. As we have learned through the bad experiences some of us had on this list, doing something conceptually correct could really tick off your client when he loses the data he values even when that data has been theoretically invalided through a break-in. -- Sasha Pachev AskSasha Linux Consulting http://asksasha.com Fast Running Blog. http://fastrunningblog.com Run. Blog. Improve. Repeat. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
