System cracked, a story

David Kramer david at thekramers.net
Mon May 26 20:25:40 EDT 2003


On Sunday 25 May 2003 11:37 pm, Bill Horne wrote:
> On Sun, May 25, 2003 at 08:33:03PM -0400, Doug Sweetser wrote:
> [snip]
>
> > Last Sunday, someone with a root kit was able to replace my
> > /etc/passwd file.
>
> [snip]
>
> > The intruder wasted my time, but no data was lost.  If people have
> > other ideas about stopping root kits, I'd like to know.
>
> [snip]
>
> I suggest a wipe of the HD, and a reinstall of the OS from known good
> media. Once it's running the way you want, but BEFORE it's connected to the
> net, install Tripwire.

Been there, done that, seconding Bill.

There is ABSOLUTELY no other way to ensure there are no back doors on your 
system.

Back up DATA AND CONFIG FILES ONLY, and even then eyeball the important ones.

Fresh install.

Restore data and config files.

Install Tripwire or some such tool.

Review your firewall rules.  Yes you need a firewall for dialup.

THEN connect it to the net.

----------------------------------------------------------------------------
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD  "Always listen to the experts. 
DKK D  They'll tell you what can't be done and why.
DK KD  Then do it."
DDDD                                                         Robert Heinlein



More information about the Discuss mailing list