Mike Lovell wrote: > Stuart Jansen wrote: > >> On Thu, 2009-10-01 at 12:21 -0600, Kimball Larsen wrote: >> >> >>> I also ran chkrootkit and rkhunter - both came back clean, so I don't >>> think the box has been p0wn3d. >>> >>> >> As always, you have to ask yourself how lucky you feel. While this might >> appear to be clumsy and failed attack, what you've found so far could >> just be a diversion. >> >> The old advice "the only way to be sure is to reinstall" still applies. >> If this is a personal server, it might not be worth it. If this box is >> on a privileged part of your work network, or has sensitive data, it's >> definitely worth being sure.
Yet another reason to use virtualization and have a good way to redeploy your VM (using puppet, cobbler, or the like). You can roll back or just redeploy with minimal effort if a box gets compromised. --Dave /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
