On 12/10/05, Scot L. Harris <webid@xxxxxxxxxx> wrote: > On Sun, 2005-12-11 at 00:45, Gene Heskett wrote: > > On Sunday 11 December 2005 00:35, Craig White wrote: > > >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote: > > > I forgot to mention that all the unpacked files are in his sons name, > > an unpriviledged user, but with a very weak password. So we think it > > came in and was running as this user. His son, taking comp sci > > courses as a junior in college now, simply would never have done this, > > its just not his style. All he ever uses is email & a web browser. > > Sounds like a guessed password then. Regardless, the best thing to do > is to rebuild from scratch and then set strong passwords on all > accounts. That is the only way to be sure the system is really back > under your control. > Isn't rebuilding a little extreme? If the cracker got into an unpriviledged user's account and no further isn't that particular user account the only thing at risk? Shouldn't changing all passwords to strong ones and deleting the infected user account and files be sufficient?
