| 1 |
On Freitag, 21. September 2007, Grant wrote: |
| 2 |
> > > Do I |
| 3 |
> > > need to start this thing over? |
| 4 |
> > |
| 5 |
> > yes. No tool can tell you for certain, that no malware is rampage on your |
| 6 |
> > system. netstat, ps, emerge might be hacked already. As might be md5sum |
| 7 |
> > and other tools to generate and compare ckecksums. There is only one way |
| 8 |
> > to make sure your system is clean: |
| 9 |
> > |
| 10 |
> > reinstallation |
| 11 |
> |
| 12 |
> Although I haven't found any evidence of intrusion, I've been urged |
| 13 |
> off-list to reinstall and since I'm about 4 hours early to rise this |
| 14 |
> morning I think I better. |
| 15 |
|
| 16 |
If your intruder has at least some skills and don't want to leave evidence |
| 17 |
behind, you have nearly zero chance to find any signs. That is the evil part |
| 18 |
about being 'maybe hacked'. |
| 19 |
Even with the best tools you can only say 'the hacker must be good' and |
| 20 |
not 'there was no hacker'. |
| 21 |
|
| 22 |
> |
| 23 |
> Can we go over a good plan for the transition? My main concerns are |
| 24 |
> backing up the right files and a good remote installation procedure as |
| 25 |
> it's been years since I did that. Thanks. |
| 26 |
|
| 27 |
I would tar everything up and copy the files back you really want - after |
| 28 |
checking them. Stuff from /etc, like the files in /etc/conf.d, make.conf, the |
| 29 |
files in /etc/portage and other stuff you edited, the /home tree, your |
| 30 |
database and website files, if there are any. But don't copy anything back |
| 31 |
without having a look first. Your world-file might be helpfull to spare some |
| 32 |
time. /usr/portage stuff should be nuked completly - it is so easy to replace |
| 33 |
it is not worth the risk of a hacked ebuild ... |
| 34 |
Don't forget to mkfs the partitions first before you start reinstallation. |
| 35 |
About remote installation: never done that, hopefully someone else on the list |
| 36 |
can help you with that. |
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
-- |
| 41 |
gentoo-user@g.o mailing list |
Archives