Re: '(no
In linux.debian.security, you wrote: > On Sat, 15 Sep 2001, Petro wrote: > >> If you believe that you've been hacked, fdisk and restore from >> backup--if you are absolutely positive your backup is clean. >> Otherwise rebuild from scratch. > > I can easily agree with the above, emphasizing the "if" clause on top of > it. You do not want to wipe away your computer and spend a good amount of > time rebuilding it unless you _believe_ it has been rooted. That's why you > unplug it (to begin with) and carefully check the contents of its hard > disk(s) using a known good system, possibly using another computer > altogether to do the check. > > THEN you wipe the compromised system away and reinstall it... "I can easily agree with the above, emphasizing the "if" clause". ;) If you're good at hunting down r00tkits, and the server is not critical, then yes. Besides, it's a good learning experience. If you want the server back on-line ASAP, wipe and reinstall is usually faster. Dima -- Well, lusers are technically human.-- Red Drag Diva
Re: '(no
In linux.debian.security, you wrote: > On Sat, 15 Sep 2001, Petro wrote: > >> If you believe that you've been hacked, fdisk and restore from >> backup--if you are absolutely positive your backup is clean. >> Otherwise rebuild from scratch. > > I can easily agree with the above, emphasizing the "if" clause on top of > it. You do not want to wipe away your computer and spend a good amount of > time rebuilding it unless you _believe_ it has been rooted. That's why you > unplug it (to begin with) and carefully check the contents of its hard > disk(s) using a known good system, possibly using another computer > altogether to do the check. > > THEN you wipe the compromised system away and reinstall it... "I can easily agree with the above, emphasizing the "if" clause". ;) If you're good at hunting down r00tkits, and the server is not critical, then yes. Besides, it's a good learning experience. If you want the server back on-line ASAP, wipe and reinstall is usually faster. Dima -- Well, lusers are technically human.-- Red Drag Diva -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: '(no
In linux.debian.security, you wrote: > I am curious if the following is an example of a buffer overflow. I > noticed this in my syslog - and the following day had someone logged in > from an IP I'm not aware of. > > I changed the passwords - and added an entry to the input chain to block > the IP, but am wondering what other things I should do? > > Should I remove /bin/sh for something less obvious as a general > protection from buffer overflows? If you suspect your machine was r00ted, 1. Take it off the net _now_. 2. If you want to do a post-mortem, boot from "known good" CD or plug the hd into a "known good" box. 3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall from scratch. The reason is that the intruder could install hacked versions of utilities like ps, ls, lsmod etc. that won't show backdoor processes and hacked files, and/or a kernel module that does the same at OS level. Your logs may have been sanitized, too. You cannot trust any program on a r00ted box. Dima -- In cyberspace no one can hear you laugh -- Bill Bumgarner in RISKS 21.65
Re: '(no
In linux.debian.security, you wrote: > I am curious if the following is an example of a buffer overflow. I > noticed this in my syslog - and the following day had someone logged in > from an IP I'm not aware of. > > I changed the passwords - and added an entry to the input chain to block > the IP, but am wondering what other things I should do? > > Should I remove /bin/sh for something less obvious as a general > protection from buffer overflows? If you suspect your machine was r00ted, 1. Take it off the net _now_. 2. If you want to do a post-mortem, boot from "known good" CD or plug the hd into a "known good" box. 3. Post mortem or not, wipe everything out (as in "fdisk") and reinstall from scratch. The reason is that the intruder could install hacked versions of utilities like ps, ls, lsmod etc. that won't show backdoor processes and hacked files, and/or a kernel module that does the same at OS level. Your logs may have been sanitized, too. You cannot trust any program on a r00ted box. Dima -- In cyberspace no one can hear you laugh -- Bill Bumgarner in RISKS 21.65 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
