Re: Have I been sniffed? - reinstall
On Fri, 27 Aug 2004, Carl Fink wrote:
> 1. Never use real words for your (non-trivial) passwords.
passwd or pass phrase should be diffeent for each different purpose
email passwd ... joe@domain.com for email ...
ssh passwd ...... jsmith is the ssh login
vpn passwd ...
ppp passwd ... why bother protectng it ... its in the ppp script
home acct passwd
server passwds
.. on and on ..
> 2. If you're concerned that your box is rooted, get a known clean
> Debian CD and reinstall, after preserving your personal data.
if you reisntall ... and you dont know how they got in, you
are still just as vulnerable as before unless you change at least "ONE"
thing to be different than before ( even a different kernel or different
style of passwds or something different .. or even better ... patch it
to the latest version )
i'd never reinstall a "suspect box"... ( it'd be throwing away a ton
of useful and helpful goldmine of info ) ... and do NOT reboot either ..
- assuming that there's no major threat of other boxes
or othe people's boxes outside your office/colo ...
- i typically assume that the suspect box is "rm -rf'd"
and try to get useful hacker data out of it:
a) figure out who got in
b) how they got in
c) why they got in
d) when they got in
e) what they did to get in
f) how long they been there
g) what else did they do once they're in
h) what files did they change or pretend or attempt to change
i) how oten do they come in
j) where do they come from
k) what other sites have they broken into and coming from there
l) what other sites are they attempting to break into
m) ... on and on ...
all of the above can take weeks/months ...
xx) call the security guru at the "big teir-1 isp" (that cares about it)
yy) call the fbi ... and log everything ...
zz) call the fbi while the crackeer is in the box so they can trace
all the packets back up the tree to the originating pc in somebodys
bedroom or office
c ya
alvin
Reply to: