[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Compromised system - still ok?

On Mon, Feb 07, 2005 at 12:35:45AM +0100, martin f krafft wrote:
> Once an attacker is on the system, you cannot be sure anymore that
> you can track his/her actions down. Sophisticated root kits exist to
> cover all (!) traces.

I co-administer a system with ~ 250 users, a significant part of them I
don't know very well personally, and really, I don't rule out some of
them might try to do some cracking, of, more likely, has such a shoddy
password policy or infected windows system that their account will be
used to.

Should I now reinstall these systems daily?

I see not much difference, except that in this case, there really was
someone with evil intentions on an account, but as said already in this
thread, what you see is only part of what happens. Especially on a busy
multiuser system, suspected activity might go unnoticed.

In both my case, and the thread starter's case, a normal user account
might or was definitely in the hands of someone malicious. In both
cases, no evidence whatsoever was there that there was even an attempt
at becoming root.

My point was and is, user account != root. Any such hole is would be
dangerous, but if you cannot somewhat reasonably assume this, you are
only paranoidedly going to reinstall systems over and over again.

My final remark in this thread about this specific case: If it was
merely a backup MX, indeed, just reinstall, as the only valuable thing
was probably the mail queue (harmless) and the mail config (probably
trivial or at least trivally checkeable). If you reboot from CD-ROM and
fdisk & mkfs the harddisk from start, all this hidden files in
filesystems etc is just FUD.


Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)

Reply to: