Re: Re: Is my system compromised
Yay, more of Alvin's nonsense!
> personally, it is 1000x easier to fix and remove the security problems
> than it would be to start from step -1 reinstalls
Uh no, it's not if you do it properly.
> ... and spend
> another week or month to harden and verify all the all configs
> and user info ( i say, if you're "doing it right", it will tke you
> about 3 days to a week to harden the new box and verify it )
Personally I spend about 2-3 minutes doing this. It's called regular
backups of /etc and other key locations of configuration data. Pull a
copy prior to the compromise.
> when you reinstall, you still cannot be guaranteed that the trojans
> is not going to be restored by your reinstalls and restores from backup
That's why, dundunDUNNNNN, he said "copy only data, not programs."
Backing up data, not programs, means the chances of you getting
anything malicious in there is extremely low. In fact I dare say
nonexistant
> - how can you guarantee that the trojans is not in the backups ?
Backup data areas, not areas in the path? Just a thought.
> the trick is that you know how to verify the binaries, the libraries
> and the directory tree ... and can find what is NOT supposed to be there
Which is extremely hard to do on a compromised system where the basic
tools you rely on to detect such things have been modified to hide the
very things you're looking for.
--
Steve Lamb
Reply to: