1 |
On Freitag, 21. September 2007, Grant wrote: |
2 |
> > > Do I |
3 |
> > > need to start this thing over? |
4 |
> > |
5 |
> > yes. No tool can tell you for certain, that no malware is rampage on your |
6 |
> > system. netstat, ps, emerge might be hacked already. As might be md5sum |
7 |
> > and other tools to generate and compare ckecksums. There is only one way |
8 |
> > to make sure your system is clean: |
9 |
> > |
10 |
> > reinstallation |
11 |
> |
12 |
> Although I haven't found any evidence of intrusion, I've been urged |
13 |
> off-list to reinstall and since I'm about 4 hours early to rise this |
14 |
> morning I think I better. |
15 |
|
16 |
If your intruder has at least some skills and don't want to leave evidence |
17 |
behind, you have nearly zero chance to find any signs. That is the evil part |
18 |
about being 'maybe hacked'. |
19 |
Even with the best tools you can only say 'the hacker must be good' and |
20 |
not 'there was no hacker'. |
21 |
|
22 |
> |
23 |
> Can we go over a good plan for the transition? My main concerns are |
24 |
> backing up the right files and a good remote installation procedure as |
25 |
> it's been years since I did that. Thanks. |
26 |
|
27 |
I would tar everything up and copy the files back you really want - after |
28 |
checking them. Stuff from /etc, like the files in /etc/conf.d, make.conf, the |
29 |
files in /etc/portage and other stuff you edited, the /home tree, your |
30 |
database and website files, if there are any. But don't copy anything back |
31 |
without having a look first. Your world-file might be helpfull to spare some |
32 |
time. /usr/portage stuff should be nuked completly - it is so easy to replace |
33 |
it is not worth the risk of a hacked ebuild ... |
34 |
Don't forget to mkfs the partitions first before you start reinstallation. |
35 |
About remote installation: never done that, hopefully someone else on the list |
36 |
can help you with that. |
37 |
|
38 |
|
39 |
|
40 |
-- |
41 |
gentoo-user@g.o mailing list |