Re: rootkit?
- From: Craig White <craigwhite@xxxxxxxxxxx>
- Date: Sat, 10 Dec 2005 23:37:56 -0700
On Sat, 2005-12-10 at 22:20 -0800, Kam Leo wrote:
> On 12/10/05, Craig White <craigwhite@xxxxxxxxxxx> wrote:
> > On Sat, 2005-12-10 at 21:59 -0800, Kam Leo wrote:
> > > On 12/10/05, Scot L. Harris <webid@xxxxxxxxxx> wrote:
> > > > On Sun, 2005-12-11 at 00:45, Gene Heskett wrote:
> > > > > On Sunday 11 December 2005 00:35, Craig White wrote:
> > > > > >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote:
> > > >
> > > > > I forgot to mention that all the unpacked files are in his sons name,
> > > > > an unpriviledged user, but with a very weak password. So we think it
> > > > > came in and was running as this user. His son, taking comp sci
> > > > > courses as a junior in college now, simply would never have done this,
> > > > > its just not his style. All he ever uses is email & a web browser.
> > > >
> > > > Sounds like a guessed password then. Regardless, the best thing to do
> > > > is to rebuild from scratch and then set strong passwords on all
> > > > accounts. That is the only way to be sure the system is really back
> > > > under your control.
> > > >
> > >
> > > Isn't rebuilding a little extreme? If the cracker got into an
> > > unpriviledged user's account and no further isn't that particular user
> > > account the only thing at risk? Shouldn't changing all passwords to
> > > strong ones and deleting the infected user account and files be
> > > sufficient?
> > ----
> > You would have to know EXACTLY what was compromised and that would be
> > difficult to determine and clearly it would take a lot less time than
> > simply backing up the data, wiping out the installation and reinstalling
> > fresh. Once a box is owned by someone else, you can't trust anything
> > including reports from things like rpm -Va. The only thing you might be
> > able to trust is a check from tripwire which had the checksums stored on
> > a read-only filesystem like a CD.
> >
> > Craig
> >
>
> That's easy if all you had to back up were databases and globally
> installed applications. If you have lots of users who have lots of
> data plus locally installed applications how do you decide what is
> worth replicating and what needs to be trashed?
----
Backing up data directories and reinstalling from scratch is the only
known method to ensure the integrity of a system that has been
compromised. Once a box has been compromised, you cannot trust a single
binary file on the system.
How do you tell bosses/users that you cannot ensure the security of
their server by recommending repair options short of best practice?
I simply don't have an answer to that. That's not an alternative that I
intend to ever offer.
Personally, I consider the Fedora software a limited duration install
anyway.
Craig
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Follow-Ups:
- Re: rootkit?
- From: John Summerfied
- Re: rootkit?
- From: Michael A. Peters
- Re: rootkit?
- References:
- rootkit?
- From: Gene Heskett
- Re: rootkit?
- From: Craig White
- Re: rootkit?
- From: Gene Heskett
- Re: rootkit?
- From: Scot L. Harris
- Re: rootkit?
- From: Kam Leo
- Re: rootkit?
- From: Craig White
- Re: rootkit?
- From: Kam Leo
- rootkit?
- Prev by Date: Re: rootkit?
- Next by Date: Re: rootkit?
- Previous by thread: Re: rootkit?
- Next by thread: Re: rootkit?
- Index(es):
Relevant Pages
|
