Security Basics mailing list archives
Re: possible rooted systems
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Fri, 29 Oct 2004 15:06:48 -0700 (PDT)
hi ya
Not to be a stickler for details and hopefully you are already planning this, but the infected machines should be re-imaged, not fixed. Other wise you leave yourself open to missing backdoors and
re=imaging will NOT solve the problem, since the attacker cna come back in using the same exploit that they already know worked on your box - you have to fix the hole that they used to get in =================================================== next time they are very likely to do an "rm -rf /" and hopefully you don't use automount in an unsafe way a better approach ... -- == backup all your data (not system) to a new disk on a new machine -- leave your old backups intact forever .. -- - find out how they got in - find out when they got in - find out who they are - find out what machines they came from and get the other hack'd machine owner and isp's help to "get the attacker" - find out what commands they typed - find out what other machines they tried to attack/connect to - find out what files they modified - contact the local police dept and FBI ( if over $15K? in damages ) - hire somebody to do all that for you
An easy solution that I use is to have a USB Drive arround that has all the images I need on it. When a machnie hiccups, I can back it up to the USB Drive using a ghost boot disk with dos USB drivers, and than plant a new image over the top.
the "master image" should be cdrom or non-writeable device since you are pluygging your "master image" into a hacked box and by your own definition, you dont know that your usb disk is safe after that ( unknown back door, unknown virus, etc.. etc.. ) c ya alvin
Current thread:
- Re: possible rooted systems kyle (Nov 01)
- <Possible follow-ups>
- RE: possible rooted systems xyberpix (Nov 01)
- Re: possible rooted systems Alvin Oga (Nov 02)
- Re: possible rooted systems Mailing Lists (Nov 01)
- RE: possible rooted systems xyberpix (Nov 02)