Re: [Freebsd-security] Re: Hacked or not appendice

From: Remko Lodder (remko_at_elvandar.org)
Date: 06/13/04

  • Next message: Peter Rosa: "Re: Hacked or not - RESULT" 
    Date: Sun, 13 Jun 2004 01:54:08 +0200
To: Peter Jeremy <PeterJeremy@optushome.com.au>

    Hey

    Peter Jeremy wrote:

    >
    > [Please wrap your mail before 80 characters]
    >
    > Why would you trust the toolchain on a potentially hacked machine?
    > There's an old paper by Ken Thompson that dicusses patching the C
    > compiler to recognize the login sources and re-introduce a backdoor -
    > even it was removed from the login sources.
    >
    > You would be much better off booting a fixit CD-ROM and using that
    > rather than trusting anything on the potentially hacked system.

    Indeed, one should make a backup copy (if possible) of the potentially
    hacked computer (Drive) and take the machine offline.

    Then insert the backupdisk in a other pc, (or the same, with the
    original hd stored safely) and startup your Live-cd kit (which can be a
    freebsd version from cd, or linux). Make sure that the tools necessary
    are on the live cd;-) and to forensics (tct might help (The Coroners
    Toolkit)..

    After finding out what happened, format the disk, and reinstall from
    scratch, be hostile to every config file and stuff you backupped,
    because you might not be able to tell when the potential hack took
    place.....

    Cheers :-)

    > 

    -- 
Kind regards,
Remko Lodder                   |remko@elvandar.org
Reporter DSINet                |remko@dsinet.org
Projectleader Mostly-Harmless  |remko@mostly-harmless.nl
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Peter Rosa: "Re: Hacked or not - RESULT"