Re: Compromised system - still ok?
On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote:
> On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller
> <firstname.lastname@example.org> wrote:
> > I'm considering taking it back online with a 2.4.29-grsec-hi, what do
> > you guys think?
> You were rooted, you should reinstall. It's not worth risking that he
> left something that you didn't find.
I see no evidence at all of being rooted, or even hints thereto. Yes,
the backup account was compromized. It looks like there were quite some
security measures in place, try to look hard for any attempt to kernel
exploit or otherwise local exploit, and think about what files this
backup account had access to. Of course, importance of the system
matters too, if you were the NSA or something, I'd definitely reinstall,
however, if you're not THAT paranoid, I think you can do with locking
down backup account, checking all files writeable by backup (all files
with recent ctime?), and places like /var/tmp, /tmp, etc.
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)