Re: unknown process

From: Peter Pentchev (roam@orbitel.bg)
Date: 04/19/01


Date: Thu, 19 Apr 2001 12:54:27 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Rasputin <rara.rasputin@virgin.net>

On Thu, Apr 19, 2001 at 10:48:19AM +0100, Rasputin wrote:
> * Peter Pentchev <roam@orbitel.bg> [010419 10:42]:
> > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> > > "David G. Andersen" <dga@pobox.com> writes:
> > > > You've been hacked. Do what Kris said immediately - take your
> > > > system offline, and figure out how they got in. You'll likely
> > > > need to either restore from backups, a fresh install, or check
> > > > your tripwire/etc logs to determine what else the intruder
> > > > changed, if they installed a rootkit, etc.
> > >
> > > It's not either/or. The only acceptable solution to this situation is
> > > a complete reinstall from a trusted source (e.g. original CD set).
>
> Just a though - do the cvs servers count as 'trusted'?
> How feasible would it be to cvsup and installworld?
>
> I'd personally go for reinstalling the compiler, cvsup binary,
> networking packages, etc from CD
> first - that probably wouldn't be enough, though, would it?

If you're doing this on the same machine, you should also watch out for
kernel modules, rc scripts and stuff.. I say a clean install, and then..
if the previous setup had been right.. all the additional programs and configs
should be easily rebuilt/restored from CVS or similar. As to the data,
and DATA ONLY, backups should be safe.

G'luck,
Peter

-- 
I am jealous of the first word in this sentence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Rebuilding the Kernel
    ... I'm using FreeBSD 5.1 and I created the config file to use with CVSup from ... kernel in between buildworld and installworld. ... To unsubscribe, ...
    (freebsd-questions)
  • Re: FreeBSD 5.2 RELENG source fails to build
    ... First I installed FreeBSD 4.6, then using cvsup with a file ... > make installworld ... >> the contrib source code as well. ...
    (freebsd-questions)
  • upgraded to CURRENT = system is dead
    ... I just upgraded with cvsup to CURRENT. ... I read UPDATING to make sure I would have no problem, but maybe I misunerstood ... --> error during the installworld: ...
    (freebsd-current)
  • What cvs-supfile Directive did I Leave Out?
    ... I originally wanted to bring the ISO image of FreeBSD6.2 ... up to date using cvsup. ... the make buildworld, make installworld, make buildkernel and make ... The cvs-sup file follows: ...
    (freebsd-questions)
  • Re: Problem with DRI in FreeBSD 4.9R
    ... >out buildworld and installworld since when I repeated for 4_RELEASE ... >but without a further cvsup of ports. ...
    (comp.unix.bsd.freebsd.misc)