Re: Server hacked - next...?

[Donovan Baarda <abo@minkirri.apana.org.au>]

On Sun, 2003-06-29 at 19:02, Donovan Baarda wrote:
[...]
> Once you get compromised, it's pretty darn hard to get clean without
> starting fresh. Some rootkit compromises do weird stuff like infect
> every binary file you even 'ls'. One system I saw had been compromised
> via an ssh vulerability (old ssh) and rootkit'ed... there was a very
> good security guy doing the (remote) cleanup, and he ended up having to
> install buisybox just so that he had a clean environment he could work
> from. Dispite it being damn hard to clean up, it was just the work of a

Thought I'd better clarify here... he was using buisybox to get a clean
environment so he could remotely shut down the system to a bare minimium
and still get critical stuff off. After that the system was wiped and
fresh re-installed with new passwords. 

Just in case anyone was thinking this showed it was worth resurrecting a
compromised system without a fresh re-install :-(

In then end it is nearly always easier to re-install than to just clean
the system without it, even if the hacker did leave .bash_histories
behind that show everything he/she did.

-- 
----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------