Paul Johnson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jul 24, 2003 at 04:19:46PM +0200, Andreas von Heydwolff wrote:Would you think with deleting the /var/bobsdata dir, the crontab entry and my --reinstall I have stopped being a DDoS client and can skip a new install of my machine? Any ideas appreciated...You've been pretty nicely cracked. It's time to mkfs over everything and start from scratch. Restore /home from the last backup that you know for sure was made before this started, anything backed up after that is garbage and shouldn't be used anymore. Good luck.- -- .''`. Paul Johnson <baloo@ursine.ca>: :' : proud Debian admin and user
Oh well. Second time this year. Thanks, Paul, for the response and good wishes.
I now have a few more questions:My home dir contains no database files but lots of proprietary WordPerfect docs, pdfs, oggs/mp3s/wavs and jpgs and my mail archive. It is always mounted noexec,nosuid,nodev,user. I do have a virtual VMware NT4 machine running some of the time that seems to be virus/trojan free. Would you still recommend going back to a backup of /home after a clean install?
The virtual NT4 machine probably should be thrown away, or would you (or anyone from the list, as it were) consider it safe because the crack looks like a *nix specific one?
And, lastly for now: The /var/crackdir dir has a timestamp X. Does this mean the crack most probably did not happen before day X?
Err, and one more: Should I buy a hardware firewall/router instead of fiddeling around with iptables as an amateur?
Regards, Andreas