[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: '(no

dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk) writes:

> > I can easily agree with the above, emphasizing the "if" clause on top
> > of it. You do not want to wipe away your computer and spend a good
> > amount of time rebuilding it unless you _believe_ it has been rooted. 
> > That's why you unplug it (to begin with) and carefully check the
> > contents of its hard disk(s) using a known good system, possibly using
> > another computer altogether to do the check.
> > 
> > THEN you wipe the compromised system away and reinstall it...

Bootable CDs are jolly useful for this. 

> "I can easily agree with the above, emphasizing the "if" clause". ;) If
> you're good at hunting down r00tkits, and the server is not critical,
> then yes. Besides, it's a good learning experience. If you want the
> server back on-line ASAP, wipe and reinstall is usually faster.

One possible compromise, that should probably be happening anyway: take an
archive copy for your forensics and/or as a last-minute backup before the
wipe. That can probably be done quickly enough to fit the wipe & reinstall

That morning dawn, with no regrets          |piglet@stirfried.vegetable.org.uk
We stood in line, we laughed                |http://spodzone.org.uk/
In silhouette                               |

Reply to: