Date: Thu, 19 Apr 2001 12:54:27 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Rasputin <rara.rasputin@virgin.net> Cc: security@freebsd.org Subject: Re: unknown process Message-ID: <20010419125426.B446@ringworld.oblivion.bg> In-Reply-To: <20010419104819.A25707@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Thu, Apr 19, 2001 at 10:48:19AM %2B0100 References: <200104190324.VAA14081@faith.cs.utah.edu> <xzpzodd6xsh.fsf@flood.ping.uio.no> <20010419123915.A446@ringworld.oblivion.bg> <20010419104819.A25707@dogma.freebsd-uk.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 19, 2001 at 10:48:19AM +0100, Rasputin wrote: > * Peter Pentchev <roam@orbitel.bg> [010419 10:42]: > > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > > > "David G. Andersen" <dga@pobox.com> writes: > > > > You've been hacked. Do what Kris said immediately - take your > > > > system offline, and figure out how they got in. You'll likely > > > > need to either restore from backups, a fresh install, or check > > > > your tripwire/etc logs to determine what else the intruder > > > > changed, if they installed a rootkit, etc. > > > > > > It's not either/or. The only acceptable solution to this situation is > > > a complete reinstall from a trusted source (e.g. original CD set). > > Just a though - do the cvs servers count as 'trusted'? > How feasible would it be to cvsup and installworld? > > I'd personally go for reinstalling the compiler, cvsup binary, > networking packages, etc from CD > first - that probably wouldn't be enough, though, would it? If you're doing this on the same machine, you should also watch out for kernel modules, rc scripts and stuff.. I say a clean install, and then.. if the previous setup had been right.. all the additional programs and configs should be easily rebuilt/restored from CVS or similar. As to the data, and DATA ONLY, backups should be safe. G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010419125426.B446>