Re: Am I Compromised -- Some interesting findings
On Fri, Nov 25, 2005 at 04:56:53PM +0000, Keith Edmunds wrote:
> Ritesh Raj Sarraf wrote:
> >Please suggest me what more should I look for and how to tackle this
> >attack.
>
> The sensible way forward is to rebuild the machine, although you may
> want to preserve some of it for analysis. I wouldn't trust the machine
> again.
And when you rebuild, make sure to make /tmp a separate partition, and mount
it noexec,nosuid,nodev.
You could do the same with /var/lib/tmp or /var/tmp.
That will make it much harder for an attacker to execute whatever they upload
to your box.
Bye for now,
Ward.
--
Pong.be -( "In my opinion M$ is a lot better at making money than )-
Virtual hosting -( it is at making good operating systems." -- Linus )-
http://pong.be -( Torvalds )-
GnuPG public key: http://gpg.dtype.org
Reply to: