rootkit?

Craig White craigwhite at azapple.com
Sun Dec 11 06:08:56 UTC 2005


On Sat, 2005-12-10 at 21:59 -0800, Kam Leo wrote:
> On 12/10/05, Scot L. Harris <webid at cfl.rr.com> wrote:
> > On Sun, 2005-12-11 at 00:45, Gene Heskett wrote:
> > > On Sunday 11 December 2005 00:35, Craig White wrote:
> > > >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote:
> >
> > > I forgot to mention that all the unpacked files are in his sons name,
> > > an unpriviledged user, but with a very weak password.  So we think it
> > > came in and was running as this user.  His son, taking comp sci
> > > courses as a junior in college now, simply would never have done this,
> > > its just not his style.  All he ever uses is email & a web browser.
> >
> > Sounds like a guessed password then.  Regardless, the best thing to do
> > is to rebuild from scratch and then set strong passwords on all
> > accounts.  That is the only way to be sure the system is really back
> > under your control.
> >
> 
> Isn't rebuilding a little extreme?  If the cracker got into an
> unpriviledged user's account and no further isn't that particular user
> account the only thing at risk?  Shouldn't changing all passwords to
> strong ones and deleting the infected user account and files be
> sufficient?
----
You would have to know EXACTLY what was compromised and that would be
difficult to determine and clearly it would take a lot less time than
simply backing up the data, wiping out the installation and reinstalling
fresh. Once a box is owned by someone else, you can't trust anything
including reports from things like rpm -Va. The only thing you might be
able to trust is a check from tripwire which had the checksums stored on
a read-only filesystem like a CD.

Craig




More information about the fedora-list mailing list