RE: Removing ShKit Root Kit

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Alexander Schreiber
> Sent: Monday, December 22, 2003 12:24 AM
> To: Chris
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Removing ShKit Root Kit
>
> There is exactly one way to properly clean up a rooted box: 
> backup the system (for later analysis and for keeping any 
> data that might be needed), wipe the disks and reinstall from 
> known clean install media, update the system to get all 
> current security updates und properly secure the box.
This advice is common, and it's always mystified me.  Why would you want
backups of the "data"?  If the box is compromised, you can't trust
*anything* on it, can you?  How can you know for certain that "data"
isn't a cleverly concealed backdoor?

I can understand backing up the disk for offline analysis, but I would
think you'd want to restore your data from known good copies, wouldn't
you?  And if you don't have known good data backups, well, then consider
it a lesson learned and do it right the next time.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html