Date: 15 Nov 2001 00:52:01 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: Stefan Probst <stefan.probst@opticom.v-nam.net> Cc: freebsd-security@FreeBSD.ORG, Rob Hurle <rob@coombs.anu.edu.au> Subject: Re: AdoreWorm Message-ID: <xzpu1vwap26.fsf@flood.ping.uio.no> In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> References: <5.1.0.14.2.20011114183520.01e71d20@MailServer>
next in thread | previous in thread | raw e-mail | index | archive | help
Stefan Probst <stefan.probst@opticom.v-nam.net> writes: > What more happened / needs to be re-installed/deleted/killed...? Everything. That system is a total write-off; not only can you not trust anything on it after it has been compromised (they might have left a backdoor *anywhere*), but by pointlessly trying to fix it you've stomped all over the crimescene and most likely ruined and/or invalidated any evidence that could have served to track down the attackers. Take the machine off the net, back up your file systems to tape, format the disks, reinstall the OS from trusted read-only media (e.g. a BSDI or WindRiver CD-ROM set), then secure the machine (by turning off any unneeded services and auditing the configuration files for those services you do need) before bringing it back on-line. And don't ever use telnet again. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpu1vwap26.fsf>