From owner-freebsd-security  Thu Apr 19  2:41: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 5E33A37B43C
	for <freebsd-security@FreeBSD.ORG>; Thu, 19 Apr 2001 02:40:55 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 469 invoked by uid 1000); 19 Apr 2001 09:39:16 -0000
Date: Thu, 19 Apr 2001 12:39:15 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: "David G. Andersen" <dga@pobox.com>,
	Kris Kennaway <kris@obsecurity.org>,
	fukuda shinichi <fukuda@alles.ad.jp>, freebsd-security@FreeBSD.ORG
Subject: Re: unknown process
Message-ID: <20010419123915.A446@ringworld.oblivion.bg>
Mail-Followup-To: Dag-Erling Smorgrav <des@ofug.org>,
	"David G. Andersen" <dga@pobox.com>,
	Kris Kennaway <kris@obsecurity.org>,
	fukuda shinichi <fukuda@alles.ad.jp>, freebsd-security@FreeBSD.ORG
References: <200104190324.VAA14081@faith.cs.utah.edu> <xzpzodd6xsh.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <xzpzodd6xsh.fsf@flood.ping.uio.no>; from des@ofug.org on Thu, Apr 19, 2001 at 11:31:26AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> "David G. Andersen" <dga@pobox.com> writes:
> > You've been hacked.  Do what Kris said immediately - take your
> > system offline, and figure out how they got in.  You'll likely
> > need to either restore from backups, a fresh install, or check
> > your tripwire/etc logs to determine what else the intruder
> > changed, if they installed a rootkit, etc.
> 
> It's not either/or.  The only acceptable solution to this situation is
> a complete reinstall from a trusted source (e.g. original CD set).

..and during the install, examine your backups - people have been known
to restore systems from backup, only to find out that the intrusion had
happened *before* the backup; sometimes there are months and months of
accurately backed up backdoors and stuff.

G'luck,
Peter

-- 
Thit sentence is not self-referential because "thit" is not a word.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message