hacked

[Manuel Arostegui Ramirez]

El Viernes, 13 de Octubre de 2006 11:48, Stuart Sears escribió:
> You can no longer trust this system at all. Absolutely any of the
> existing binaries could have been replaced by trojans.
> Do you have physical access?
> boot into a rescue environment, run your rootkit checks from there.
> But IMHO you probably need to reinstall. - back up and check your
> webcontent and scripts (prolly config files too).
> Then reinstall the system and lock it down as tightly as possible.
> (ie, iptables, tcp_wrappers, SELinux, Apache access controls...)
> Checking which rootkit (if any) was installed is basically an academic
> issue at this point. Removing them is not guranteed to work.
>

Yeah, i agree. But IMHO he should practise a forensic analisys in order to 
find out what's wrong in that box and how intruders broke into.
If he reinstall everything without realized how that server was hacked...he'll 
be hacked so soon one more time.
Of course if they got shell access or simply ran any kind of binary he's on 
troubles, but he could learn some importans things from that situation and do 
not repeat its on a future, at least, not the same.
So, do not reinstall or delete something until, you know how the hacked. Not 
yet.

Of course, i could be wrong, just an opinion

-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, may not be read every day, and should not
be used for urgent or sensitive issues.