[PLUG] Think I've been hacked
Rich Burroughs
rich at paranoid.org
Mon Jan 24 23:06:27 UTC 2005
Michael Rasmussen wrote:
> Note, I'm the in minority of people who believe that an
> infected system can be cleaned and restored to safe behavior.
I think that's possible if you have a method like Tripwire to check the
integity of the system files, and you know what you're doing. But then
you have to check for a lot of other things as well. Other backdoors,
accounts with no passwords or UID 0, SUID copies of bash laying about,
malicous cron jobs, init scripts and CGI scripts, and more. It's really
hard to know that you've covered every possible scenario that could
allow the attacker root access again.
For some people (especially people without a lot of practical security
experience) wiping and installing from scratch will actually be easier
than dealing with all of that. But, then again, if you don't investigate
things you don't learn.
This may have been a false positive, and I'd certainly investigate that
first before doing anything drastic.
Rich
More information about the PLUG
mailing list