Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Help I got hacked!!

On Mon, Jul 02, 2001 at 07:17:32PM +1000, Andy Eager wrote:
> Thanks for that lovely piece of information.

Think of it this way - you now have a valid reason to do an
rm -rf / :-). IMHO you really should start over completely -
yes, it's a hassle, but much less of one then not doing this
and having the nagging doubts that there may be something on
the system left over from the attack that's doing things you'd
really rather it didn't... 

> Fortunately I keep all data backed up, so thats not a problem but having 
> built the machine from scratch as a humble newbie only 6 months ago 
> (.... I couldn't even spell Linux...) I've got stuff like nfs, ntp, 
> named, samba etc, etc which all just 'evolved' over time. 

This is one reason for keeping a paper notebook in which you write down
everything you do on the system.
> Wouldn't a reasonable compromise be to do the following:
> verify each installed package:    rpm -V -a
> (Now we know each package is OK)

Assuming they haven't installed a trojaned version of rpm or similar.
You can only be sure the packages are OK if you're getting them of your
installation CDs, downloading from a trusted site and checking
signatures and so on.

> for each file in all directories except home, do:   rpm -qif <filename>
> (If it doesn't belong to any package then warn user)

Again, only if you can trust the version of rpm on your system. And you
really can't at this stage.

> ( A desperate optimist who untill now, believed that all people (even 
> hackers) were good )

Ah, don't go there. Hackers *are* good. You got burnt by crackers.