Re: unknown process

From: Peter Pentchev (roam@orbitel.bg)
Date: 04/19/01


Date: Thu, 19 Apr 2001 12:54:27 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Rasputin <rara.rasputin@virgin.net>

On Thu, Apr 19, 2001 at 10:48:19AM +0100, Rasputin wrote:
> * Peter Pentchev <roam@orbitel.bg> [010419 10:42]:
> > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> > > "David G. Andersen" <dga@pobox.com> writes:
> > > > You've been hacked. Do what Kris said immediately - take your
> > > > system offline, and figure out how they got in. You'll likely
> > > > need to either restore from backups, a fresh install, or check
> > > > your tripwire/etc logs to determine what else the intruder
> > > > changed, if they installed a rootkit, etc.
> > >
> > > It's not either/or. The only acceptable solution to this situation is
> > > a complete reinstall from a trusted source (e.g. original CD set).
>
> Just a though - do the cvs servers count as 'trusted'?
> How feasible would it be to cvsup and installworld?
>
> I'd personally go for reinstalling the compiler, cvsup binary,
> networking packages, etc from CD
> first - that probably wouldn't be enough, though, would it?

If you're doing this on the same machine, you should also watch out for
kernel modules, rc scripts and stuff.. I say a clean install, and then..
if the previous setup had been right.. all the additional programs and configs
should be easily rebuilt/restored from CVS or similar. As to the data,
and DATA ONLY, backups should be safe.

G'luck,
Peter

-- 
I am jealous of the first word in this sentence.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message