Re: Is my system compromised
On Sunday 05 February 2006 06:52, grey@dmiyu.org wrote:
> Yay, more of Alvin's nonsense!
>
>> personally, it is 1000x easier to fix and remove the security
>> problems than it would be to start from step -1 reinstalls
>
> Uh no, it's not if you do it properly.
>
>> ... and spend
>> another week or month to harden and verify all the all configs
>> and user info ( i say, if you're "doing it right", it will tke you
>> about 3 days to a week to harden the new box and verify it )
>
> Personally I spend about 2-3 minutes doing this. It's called
> regular backups of /etc and other key locations of configuration
> data. Pull a copy prior to the compromise.
>
>> when you reinstall, you still cannot be guaranteed that the trojans
>> is not going to be restored by your reinstalls and restores from
>> backup
>
> That's why, dundunDUNNNNN, he said "copy only data, not
> programs." Backing up data, not programs, means the chances of you
> getting anything malicious in there is extremely low. In fact I dare
> say nonexistant
>
>> - how can you guarantee that the trojans is not in the backups ?
>
> Backup data areas, not areas in the path? Just a thought.
>
>> the trick is that you know how to verify the binaries, the libraries
>> and the directory tree ... and can find what is NOT supposed to be
>> there
>
> Which is extremely hard to do on a compromised system where the
> basic tools you rely on to detect such things have been modified to
> hide the very things you're looking for.
>
What he said, amen amen. I did clean up a rootkit once, years ago, but
it took about 3 days to check everything. Fortunately, the perp DIDN'T
put in a new chattr, it turn out to be a very valuable tool to find
his crap.
A re-install is quicker, then get older backups from amanda's stash.
>--
>Steve Lamb
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
Reply to: