[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I've been hacked by DevilSoul

also sprach Angus D Madden <angus@3wsi.com> [2002.01.11.0649 +0100]:
> agreed.  full disk format and reinstall from backup is the only secure
> option.  unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...

... if, only if, you have the tripwire binary and database securely
stored away on read-only media, and it's current. then you can use it to
verify that no files have changed, and no rootkit was installed.

however, i did post-mortem analyze a machine once where the actual
kernel had been modified so as to mess with file reads in such a way
that the installed root kit wasn't even detected by tripwire! so be
careful. has the machine been up since the break-in? was it restarted

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"in the stage of grand illusion
 you walked into my life
 out of my dreams."
                                                        -- david bowie

Attachment: pgpu87Upj71EK.pgp
Description: PGP signature

Reply to: