[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] I've been hacked -- now what do I do?
- Subject: Re: [cobalt-security] I've been hacked -- now what do I do?
- From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
- Date: Tue, 7 Nov 2000 17:25:13 +0000 (GMT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Keep in mind that if one trojan is on the system, there's nothing
> stopping the cracker from putting on another. In my opinion, the
> machine is pretty much untrustable at this point, and requires a
> re-install, or going through a database of known file
> fingerprints/sizes and comparing them to every file on the system.
Indeed. However, theres two problems here:
a) loadable kernel modules are very hard to detect. They might be
redirecting and masking file fingerprints.
b) He says he doesn't have tripwire installed, so probably doesn't have a
record of the fingerprints.
The only way to be really sure is a reinstall. However, upgrading the
kernel and reinstalling all the RPMs (and thus everything like /bin/ls,
netstat, find etc etc) should provide an indication as to the status of
the system.