Re: Re: Is my system compromised
On Sat, 4 Feb 2006, Carl Fink wrote:
> Once you're rooted, this is way easier and more effective than trying to fix
> things.
personally, it is 1000x easier to fix and remove the security problems
than it would be to start from step -1 reinstalls ... and spend
another week or month to harden and verify all the all configs
and user info ( i say, if you're "doing it right", it will tke you
about 3 days to a week to harden the new box and verify it )
when you reinstall, you still cannot be guaranteed that the trojans
is not going to be restored by your reinstalls and restores from backup
- how can you guarantee that the trojans is not in the backups ?
the trick is that you know how to verify the binaries, the libraries
and the directory tree ... and can find what is NOT supposed to be there
------------
if anybody think reinstalling is easier... no problem, but, if you
do NOT make a backup copy of the new virgin system onto cdrom/dvd, than
you did NOT learn from that possibly compromized box
- if you have a clean cdrom/dvd, of the original machine,
than you can always verify it in a matter of seconds
that it is hacked or not compared to before it went on the wire
-----------
and if you know exactly how they got in ... you can close that hole
vs opening up new unknown problems by reinstalling new or old files
- you will need to know how they got in
- you will need to know when they got in
- you will need to know where they came from
- you will need to know what files they changed
- endless fun list...
- you cannot do forensics after the fact, if you have no previously
verified and clean baseline
c ya
alvin
Reply to: