[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?

Quoting Laurentiu Pancescu (lpancescu@googlemail.com):

> I was wondering if we're not losing perspective of what is realistic
> in a certain situation, especially for people without previous
> experience in handling such attacks and whose job is not necessarily
> a full-time system administrator.

1.  If you are running an *ix, you're a system administrator.
2.  Do you want to rebuild once and eliminate the problem, or 
    would you prefer to in all likelihood not fix it at all and
    have to deal with it all over again?  If you want to risk
    the latter, good luck and farewell.  If the former, it's a 
    well-understood problem, e.g., see the standard CERT

> Sometimes we have other people needing that server back as soon as
> possible, and a schedule to keep.  Spending a few weeks with forensic
> analysis isn't always an option, when the probability of actually
> finding anything useful being low.

Straw man.  Detailed forensics _before_ redeployment are a luxury
only rare affordable.  Most sites image the compromised box and 
redeploy with CERT-grade measures to close holes, and then do additional
forenscs later as time allows.

Reply to: