Re: any way to confirm break-in?
- From: yosato_uk <yosato16@xxxxxxxxx>
- Date: 30 Apr 2007 03:58:38 -0700
Thanks for the info from quite a few people in a short space of time
-- all of which is very useful.
The inevitable conclusion seems to be it is not so straightforward
even just to ascertain a break-in, if the attacker's as clever as is
expected, though there is strong circumstantial evidence... And I've
got the feeling that ssh is *not* the route through which the attacker
gained access, if they indeed did --- my passwds are much stronger
than the names tried in the failed attempts, and I'm sure that they
would have remove *all* the log files. So... exluding pure
coincidence, my guess is the same attacker that tried the ssh route
found some other route.
Now I'm not so much interested in hunting for the culprit as
preventing a further problem. I will try and enhance the security the
various ways suggested, but the remaining worry is that there might be
some malware or worm that is left on the system. If the usual tools
may fail to detect them, is there any better way? If there's no way to
be absolutely sure, I'd in fact clean-reinstall the system altogether
and recover the backed up data. But I presume there still would remain
some risk, if some malware's mixed into the data directory... so
probably a rather naive question again: any (fast enough) way to
transfer data during which you can verify safety?