From owner-freebsd-questions  Sun Sep  6 18:32:49 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA23101
          for freebsd-questions-outgoing; Sun, 6 Sep 1998 18:32:49 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA23086
          for <freebsd-questions@FreeBSD.ORG>; Sun, 6 Sep 1998 18:32:41 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.5/8.8.8) with SMTP id SAA02700;
          Sun, 6 Sep 1998 18:32:33 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Sun, 6 Sep 1998 18:32:32 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Jim Mock <jim@phrantic.phear.net>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: questions
In-Reply-To: <Pine.BSF.4.02A.9809010646140.8666-100000@phear.net>
Message-ID: <Pine.BSF.4.00.9809061831480.18759-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Tue, 1 Sep 1998, Jim Mock wrote:

> Ok, I might be clueless and/or a complete moron, but I've got a few
> questions about restoring files to the original/upgrading to a later
> version.
> 
> Here's the deal.. I'm running 2.2.5-RELEASE, and recently the box has been
> hacked.  I've managed to block out the attackers using ipfw and tcp
> wrappers, but after reading some stuff on CERT's site, I started checking
> the files on the machine in question with another machine and found some
> differences.. here they are..
> 
> **** ls ****

[file size changes]

> My question is this.. a) how do i go about replacing those files with the
> originals without reinstalling, and b) I've got other machines running the
> same release and I was wondering if I could copy the files from the other
> box and replace the ones in question.  I'm not sure if that'd work or not,
> so I figured I'd ask.

Yeah, it'll work fine.  This is what the Live Filesystem CD is for. :)

And mtree.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message