OT. Have I been hacked? IRCD?
Scot L. Harris
webid at cfl.rr.com
Tue Dec 14 14:48:32 UTC 2004
On Tue, 2004-12-14 at 02:40, Rich Burroughs wrote:
> mark wrote:
> > I am just trying to figure out if I have to re-install. It look like
> > it. Vulnerability in PHP or PHPBB I think.
> >
A re-install is the only sure way to make sure you have cleared the
system of any malicious code.
> A better way is to check using Tripwire or a similar tool, if you
> installed one.
Note: tripwire is only useful if it was setup on the system prior to the
suspected take over of the system. If it was in place and correctly
setup tripwire would have alerted you to changed/new files placed on
your system. This may have alerted you sooner that there was a
problem. How soon depends on how often you run the tripwire check. In
your case you might want to run it several times a day but no less than
once a day.
Once you have been rooted tools like chkrootkit might help you confirm
it and possibly let you know some of what was done. However the only
sure way to make sure you have regained control of such a system is to
re-install from scratch. Be careful of which backups you use, you need
to make sure you don't re-infect yourself from backups.
--
Scot L. Harris
webid at cfl.rr.com
Genius is one percent inspiration and ninety-nine percent perspiration.
-- Thomas Alva Edison
More information about the fedora-list
mailing list