[H-GEN] apache2 compromised or just attempts?
Robert Brockway
rbrockway at opentrend.net
Sun May 28 21:10:54 EDT 2006
On Mon, 29 May 2006, Ted Percival wrote:
> Just remember your kernel and iptables binaries could be rooted, too.
> The only safe action is to reinstall the machine from scratch, don't
That's right. Recommended practice is to reinstall a compromised box.
Once a box is rooted it is possible for backdoors to be added to so many
places you'll never be sure you got them all.
Once the reinstall is complete, don't transfer any binaries from the old
rooted system to the new system if you can possibly avoid it. If you must
transfer the binaries then compare them to known good copies (md5sum is
your friend).
Personally I do not trust distro supplied copes of apps like chkrootkit
if I suspect a breakin. I prefer to boot from read-only media and use
tools not subject to the baddies to do the checks. In practice Linux live
cdroms like Knoppix do fine for this in most cases.
Rob
--
Robert Brockway B.Sc. Phone: +1-905-821-2327
Senior Technical Consultant Urgent Support: +1-416-669-3073
OpenTrend Solutions Ltd Email: support at opentrend.net
Web: www.opentrend.net
We are open 24x365 for technical support. Call us in a crisis.
More information about the General
mailing list