On Sat, 2005-12-10 at 22:20 -0800, Kam Leo wrote: > On 12/10/05, Craig White <craigwhite@xxxxxxxxxxx> wrote: > > On Sat, 2005-12-10 at 21:59 -0800, Kam Leo wrote: > > > On 12/10/05, Scot L. Harris <webid@xxxxxxxxxx> wrote: > > > > On Sun, 2005-12-11 at 00:45, Gene Heskett wrote: > > > > > On Sunday 11 December 2005 00:35, Craig White wrote: > > > > > >On Sun, 2005-12-11 at 00:31 -0500, Gene Heskett wrote: > > > > > > > > > I forgot to mention that all the unpacked files are in his sons name, > > > > > an unpriviledged user, but with a very weak password. So we think it > > > > > came in and was running as this user. His son, taking comp sci > > > > > courses as a junior in college now, simply would never have done this, > > > > > its just not his style. All he ever uses is email & a web browser. > > > > > > > > Sounds like a guessed password then. Regardless, the best thing to do > > > > is to rebuild from scratch and then set strong passwords on all > > > > accounts. That is the only way to be sure the system is really back > > > > under your control. > > > > > > > > > > Isn't rebuilding a little extreme? If the cracker got into an > > > unpriviledged user's account and no further isn't that particular user > > > account the only thing at risk? Shouldn't changing all passwords to > > > strong ones and deleting the infected user account and files be > > > sufficient? > > ---- > > You would have to know EXACTLY what was compromised and that would be > > difficult to determine and clearly it would take a lot less time than > > simply backing up the data, wiping out the installation and reinstalling > > fresh. Once a box is owned by someone else, you can't trust anything > > including reports from things like rpm -Va. The only thing you might be > > able to trust is a check from tripwire which had the checksums stored on > > a read-only filesystem like a CD. > > > > Craig > > > > That's easy if all you had to back up were databases and globally > installed applications. If you have lots of users who have lots of > data plus locally installed applications how do you decide what is > worth replicating and what needs to be trashed? ---- Backing up data directories and reinstalling from scratch is the only known method to ensure the integrity of a system that has been compromised. Once a box has been compromised, you cannot trust a single binary file on the system. How do you tell bosses/users that you cannot ensure the security of their server by recommending repair options short of best practice? I simply don't have an answer to that. That's not an alternative that I intend to ever offer. Personally, I consider the Fedora software a limited duration install anyway. Craig
