On Sat, 2005-12-10 at 21:59 -0800, Kam Leo wrote: > On 12/10/05, Scot L. Harris <webid@xxxxxxxxxx> wrote: > > On Sun, 2005-12-11 at 00:45, Gene Heskett wrote: > > > On Sunday 11 December 2005 00:35, Craig White wrote: > > > >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote: > > > > > I forgot to mention that all the unpacked files are in his sons name, > > > an unpriviledged user, but with a very weak password. So we think it > > > came in and was running as this user. His son, taking comp sci > > > courses as a junior in college now, simply would never have done this, > > > its just not his style. All he ever uses is email & a web browser. > > > > Sounds like a guessed password then. Regardless, the best thing to do > > is to rebuild from scratch and then set strong passwords on all > > accounts. That is the only way to be sure the system is really back > > under your control. > > > > Isn't rebuilding a little extreme? If the cracker got into an > unpriviledged user's account and no further isn't that particular user > account the only thing at risk? Shouldn't changing all passwords to > strong ones and deleting the infected user account and files be > sufficient? ---- You would have to know EXACTLY what was compromised and that would be difficult to determine and clearly it would take a lot less time than simply backing up the data, wiping out the installation and reinstalling fresh. Once a box is owned by someone else, you can't trust anything including reports from things like rpm -Va. The only thing you might be able to trust is a check from tripwire which had the checksums stored on a read-only filesystem like a CD. Craig
