rootkit?

Kam Leo kam.leo at gmail.com
Sun Dec 11 06:20:16 UTC 2005


On 12/10/05, Craig White <craigwhite at azapple.com> wrote:
> On Sat, 2005-12-10 at 21:59 -0800, Kam Leo wrote:
> > On 12/10/05, Scot L. Harris <webid at cfl.rr.com> wrote:
> > > On Sun, 2005-12-11 at 00:45, Gene Heskett wrote:
> > > > On Sunday 11 December 2005 00:35, Craig White wrote:
> > > > >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote:
> > >
> > > > I forgot to mention that all the unpacked files are in his sons name,
> > > > an unpriviledged user, but with a very weak password.  So we think it
> > > > came in and was running as this user.  His son, taking comp sci
> > > > courses as a junior in college now, simply would never have done this,
> > > > its just not his style.  All he ever uses is email & a web browser.
> > >
> > > Sounds like a guessed password then.  Regardless, the best thing to do
> > > is to rebuild from scratch and then set strong passwords on all
> > > accounts.  That is the only way to be sure the system is really back
> > > under your control.
> > >
> >
> > Isn't rebuilding a little extreme?  If the cracker got into an
> > unpriviledged user's account and no further isn't that particular user
> > account the only thing at risk?  Shouldn't changing all passwords to
> > strong ones and deleting the infected user account and files be
> > sufficient?
> ----
> You would have to know EXACTLY what was compromised and that would be
> difficult to determine and clearly it would take a lot less time than
> simply backing up the data, wiping out the installation and reinstalling
> fresh. Once a box is owned by someone else, you can't trust anything
> including reports from things like rpm -Va. The only thing you might be
> able to trust is a check from tripwire which had the checksums stored on
> a read-only filesystem like a CD.
>
> Craig
>

That's easy if all you had to back up were databases and globally
installed applications. If you have lots of users who have lots of
data plus locally installed applications how do you decide what is
worth replicating and what needs to be trashed?




More information about the fedora-list mailing list