On Sun, 2003-06-29 at 19:02, Donovan Baarda wrote: [...] > Once you get compromised, it's pretty darn hard to get clean without > starting fresh. Some rootkit compromises do weird stuff like infect > every binary file you even 'ls'. One system I saw had been compromised > via an ssh vulerability (old ssh) and rootkit'ed... there was a very > good security guy doing the (remote) cleanup, and he ended up having to > install buisybox just so that he had a clean environment he could work > from. Dispite it being damn hard to clean up, it was just the work of a
Thought I'd better clarify here... he was using buisybox to get a clean environment so he could remotely shut down the system to a bare minimium and still get critical stuff off. After that the system was wiped and fresh re-installed with new passwords. Just in case anyone was thinking this showed it was worth resurrecting a compromised system without a fresh re-install :-( In then end it is nearly always easier to re-install than to just clean the system without it, even if the hacker did leave .bash_histories behind that show everything he/she did. -- ---------------------------------------------------------------- Donovan Baarda http://minkirri.apana.org.au/~abo/ ---------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
