> > Complete wiping of the system is not always necessary On Tue, Jul 02, 2002 at 10:23:38AM -0700, Gordon Messmer wrote: > That's not advice I'd give to someone who doesn't recognize that he's > been hacked. Actually making sure that a system is clean is possible, > but it involves /really/ knowing what's going on in the system.
It is also good to pretend you are tracking down a mystery disease and don't know how it is spread. This means taking every logical precaution. (But be logical, don't resort to shaking dead chickens at the hard disk.) And be paranoid. For example, if you have been cracked into, assume that everything you have typed on that computer has also been sent back to the bad guy who broke in. So if you have ever logged into another computer from that box, assume that the cracked computer kept a note of that other computer's password and sent it back to its master. Which means that other computer might have been broken into too. Now, once you rebuild your cracked box, if you log into it from another cracked box, *that* password can be sent off to some bad guy. And worry about all executable files (or source code files you might compile). Any program that is on the cracked box might have been tampered with. If you back up any programs and then restore them on a rebuilt box you might just be reinstalling a rootkit. Once you get your box back and happy, keep it up to date so it won't get broken into again. -kb _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
