also sprach Angus D Madden <angus@3wsi.com> [2002.01.11.0649 +0100]:
> agreed. full disk format and reinstall from backup is the only secure
> option. unless you are running something like tripwire there is no way
> to tell what the intruder did, and even then ...
... if, only if, you have the tripwire binary and database securely
stored away on read-only media, and it's current. then you can use it to
verify that no files have changed, and no rootkit was installed.
however, i did post-mortem analyze a machine once where the actual
kernel had been modified so as to mess with file reads in such a way
that the installed root kit wasn't even detected by tripwire! so be
careful. has the machine been up since the break-in? was it restarted
then?
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"in the stage of grand illusion
you walked into my life
out of my dreams."
-- david bowie
Attachment:
pgpu87Upj71EK.pgp
Description: PGP signature