From owner-freebsd-stable  Sat Jul 21 18:54:58 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from earthquake.mweb.co.za (earthquake.mweb.co.za [196.2.53.139])
	by hub.freebsd.org (Postfix) with ESMTP id EFB7937B401
	for <freebsd-stable@FreeBSD.ORG>; Sat, 21 Jul 2001 18:54:54 -0700 (PDT)
	(envelope-from psyv@root.org.za)
Received: from pta-dial-196-31-187-73.mweb.co.za ([196.31.187.73])
 by earthquake.mweb.co.za
 (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10)
 with ESMTP id <0GGU005HTQN210@earthquake.mweb.co.za> for
 freebsd-stable@FreeBSD.ORG; Sun, 22 Jul 2001 03:54:47 +0200 (SAT)
Date: Sun, 22 Jul 2001 03:56:26 +0200 (SAST)
From: The Psychotic Viper <psyv@root.org.za>
Subject: Re: probably remote exploit
In-reply-to: <15194.2597.335066.379263@guru.mired.org>
X-Sender: psyv@lucifer.fuzion.za.org
To: freebsd-stable@FreeBSD.ORG
Message-id: <Pine.BSF.4.21.0107220333420.21423-100000@lucifer.fuzion.za.org>
MIME-version: 1.0
Content-type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Hi,

I have been watching this thread since it started and this may be off
topic but may give another view point to things. The last post by
Mike outlining the multiple trigger trojan system is one of the major
reasons why as a rule of thumb in a lot of security and penetration
forensics circles is to take a flatten systems and build them a new, from
scratch. You never know whats been done to your system once its been
compromised unless you watched the cracker step by step, and even then I
personally wouldnt trust that box after undoing what I *think* has been
done. And if an indepth check and audit could indicate other systems being
compromised via the initial systems, those go too even if theres a chance
they werent, in personal experience.

Sure it takes time to to backup user data, reinstall of multiple machines
but it may save a lot of time when you have to keep rebuilding your
machine because your visitor keeps getting back in. Also prevents them
getting in remotely (hopefully) through a known vulnerablity if you
install the latest release of whatever OS you have. 

So thats a handy "rule" to have even if it does take a bit longer, Id
think ease of mind more than makes up for it.:)

hth

PsyV

btw...always open to new ideas and suggestions 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message