On Tue, 2004-12-14 at 02:40, Rich Burroughs wrote: > mark wrote: > > I am just trying to figure out if I have to re-install. It look like > > it. Vulnerability in PHP or PHPBB I think. > > A re-install is the only sure way to make sure you have cleared the system of any malicious code. > A better way is to check using Tripwire or a similar tool, if you > installed one. Note: tripwire is only useful if it was setup on the system prior to the suspected take over of the system. If it was in place and correctly setup tripwire would have alerted you to changed/new files placed on your system. This may have alerted you sooner that there was a problem. How soon depends on how often you run the tripwire check. In your case you might want to run it several times a day but no less than once a day. Once you have been rooted tools like chkrootkit might help you confirm it and possibly let you know some of what was done. However the only sure way to make sure you have regained control of such a system is to re-install from scratch. Be careful of which backups you use, you need to make sure you don't re-infect yourself from backups. -- Scot L. Harris webid@xxxxxxxxxx Genius is one percent inspiration and ninety-nine percent perspiration. -- Thomas Alva Edison
