Re: '(no

To: debian-security@lists.debian.org
Subject: Re: '(no
From: dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk)
Date: Mon, 17 Sep 2001 14:15:36 -0500
Message-id: <[🔎] 20010917191536.54B14FD4F@odyssey.bmrb.wisc.edu>
Reply-to: dmaziuk@yola.bmrb.wisc.edu
In-reply-to: <[🔎] Pine.LNX.4.33.0109170948120.2215-100000@capitanata.ca.astro.it>
References: <[🔎] 20010915153627.B19706@auctionwatch.com> <[🔎] Pine.LNX.4.33.0109170948120.2215-100000@capitanata.ca.astro.it>

In linux.debian.security, you wrote:
> On Sat, 15 Sep 2001, Petro wrote:
> 
>>     If you believe that you've been hacked, fdisk and restore from
>>     backup--if you are absolutely positive your backup is clean.
>>     Otherwise rebuild from scratch.
> 
> I can easily agree with the above, emphasizing the "if" clause on top of
> it. You do not want to wipe away your computer and spend a good amount of
> time rebuilding it unless you _believe_ it has been rooted. That's why you
> unplug it (to begin with) and carefully check the contents of its hard
> disk(s) using a known good system, possibly using another computer
> altogether to do the check.
> 
> THEN you wipe the compromised system away and reinstall it...

"I can easily agree with the above, emphasizing the "if" clause". ;)
If you're good at hunting down r00tkits, and the server is not critical,
then yes. Besides, it's a good learning experience.
If you want the server back on-line ASAP, wipe and reinstall is usually
faster.

Dima
-- 
Well, lusers are technically human.                            -- Red Drag Diva

Reply to:

Follow-Ups:
- Re: '(no
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>

References:
- Re: '(no
  - From: Petro <petro@auctionwatch.com>
- Re: '(no
  - From: Giacomo Mulas <gmulas@ca.astro.it>

Prev by Date: Re: GPG fingerprints
Next by Date: Re: '(no
Previous by thread: Re: '(no
Next by thread: Re: '(no
Index(es):
- Date
- Thread