[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] I've been hacked -- now what do I do?

Subject: Re: [cobalt-security] I've been hacked -- now what do I do?
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Tue, 7 Nov 2000 17:25:13 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Keep in mind that if one trojan is on the system, there's nothing
> stopping the cracker from putting on another.  In my opinion, the
> machine is pretty much untrustable at this point, and requires a
> re-install, or going through a database of known file
> fingerprints/sizes and comparing them to every file on the system.

Indeed.  However, theres two problems here:

a) loadable kernel modules are very hard to detect.  They might be
redirecting and masking file fingerprints.

b) He says he doesn't have tripwire installed, so probably doesn't have a
record of the fingerprints.

The only way to be really sure is a reinstall.  However, upgrading the
kernel and reinstalling all the RPMs (and thus everything like /bin/ls,
netstat, find etc etc) should provide an indication as to the status of
the system.

References:
- Re: [cobalt-security] I've been hacked -- now what do I do?
  - From: Damian Gerow

Prev by Date: Re: [cobalt-security] I've been hacked -- now what do I do?
Next by Date: RE: [cobalt-security] I've been hacked -- now what do I do?
Previous by thread: Re: [cobalt-security] I've been hacked -- now what do I do?
Next by thread: RE: [cobalt-security] I've been hacked -- now what do I do?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index