1 |
Mick wrote: |
2 |
> On Monday 09 August 2010 21:25:37 Dale wrote: |
3 |
> |
4 |
>> Robert Bridge wrote: |
5 |
>> |
6 |
>>> On Mon, Aug 9, 2010 at 8:09 PM, Mick<michaelkintzios@×××××.com> wrote: |
7 |
>>> |
8 |
>>>> There have been discussions on this list why sudo is a bad idea and sudo |
9 |
>>>> on *any* command is an even worse idea. You might as well be running |
10 |
>>>> everything as root, right? |
11 |
>>>> |
12 |
>>> sudo normally logs the command executed, and the account which |
13 |
>>> executes it, so while not relevant for single user systems, it STILL |
14 |
>>> has benefits over running as root. |
15 |
>>> |
16 |
>>> RobbieAB |
17 |
>>> |
18 |
>> I don't use sudo here but I assume a admin would only know that a nasty |
19 |
>> command has been ran well after it was ran? Basically, after the damage |
20 |
>> has been done, you can go look at the logs and see the mess some hacker |
21 |
>> left behind. For me, that isn't a whole lot of help. You still got |
22 |
>> hacked, you still got to reinstall and check to make sure anything you |
23 |
>> copy over is not infected. |
24 |
>> |
25 |
>> Assuming that they can erase dmesg, /var/log/messages and other log |
26 |
>> files, whose to say the sudo logs aren't deleted too? Then you still |
27 |
>> have no records to look at. |
28 |
>> |
29 |
>> I agree with the other posters tho, re-install from scratch and re-think |
30 |
>> your security setup. |
31 |
>> |
32 |
> That's the problem with any compromise worth its salt, all logs will be |
33 |
> tampered to clear traces of interfering with your system. Monitoring network |
34 |
> traffic from a healthy machine is a good way to establish suspicious activity |
35 |
> on the compromised box and it also helps checking for open ports (nmap, or |
36 |
> netcat) to find out what's happening to the compromised box. |
37 |
> |
38 |
> |
39 |
|
40 |
Yep, cause when they are in the system, they can do what they want. |
41 |
Once they get root privileges, nothing else matters after that. It's |
42 |
just a matter of the clean up which from what I have always read is a |
43 |
reinstall. It's not good to hear but it's the best way to know for sure |
44 |
you are safe. |
45 |
|
46 |
Me tho, I would start from scratch and not even chroot into the old |
47 |
install. I might mount and try to read a log file or copy my world file |
48 |
but that would be about it. I'm not sure I would trust anything else. |
49 |
I just hope this never happens to me. :/ |
50 |
|
51 |
Dale |
52 |
|
53 |
:-) :-) |