From owner-freebsd-security  Thu Apr 19  2:56: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13])
	by hub.freebsd.org (Postfix) with SMTP id 70CC337B43C
	for <security@freebsd.org>; Thu, 19 Apr 2001 02:56:03 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 5205 invoked by uid 1000); 19 Apr 2001 09:54:27 -0000
Date: Thu, 19 Apr 2001 12:54:27 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Rasputin <rara.rasputin@virgin.net>
Cc: security@freebsd.org
Subject: Re: unknown process
Message-ID: <20010419125426.B446@ringworld.oblivion.bg>
Mail-Followup-To: Rasputin <rara.rasputin@virgin.net>,
	security@freebsd.org
References: <200104190324.VAA14081@faith.cs.utah.edu> <xzpzodd6xsh.fsf@flood.ping.uio.no> <20010419123915.A446@ringworld.oblivion.bg> <20010419104819.A25707@dogma.freebsd-uk.eu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010419104819.A25707@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Thu, Apr 19, 2001 at 10:48:19AM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Apr 19, 2001 at 10:48:19AM +0100, Rasputin wrote:
> * Peter Pentchev <roam@orbitel.bg> [010419 10:42]:
> > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> > > "David G. Andersen" <dga@pobox.com> writes:
> > > > You've been hacked.  Do what Kris said immediately - take your
> > > > system offline, and figure out how they got in.  You'll likely
> > > > need to either restore from backups, a fresh install, or check
> > > > your tripwire/etc logs to determine what else the intruder
> > > > changed, if they installed a rootkit, etc.
> > > 
> > > It's not either/or.  The only acceptable solution to this situation is
> > > a complete reinstall from a trusted source (e.g. original CD set).
> 
> Just a though - do the cvs servers count as 'trusted'?
> How feasible would it be to cvsup and installworld?
> 
> I'd personally go for reinstalling the compiler, cvsup binary,
> networking packages, etc from CD
> first - that probably wouldn't be enough, though, would it?

If you're doing this on the same machine, you should also watch out for
kernel modules, rc scripts and stuff..  I say a clean install, and then..
if the previous setup had been right.. all the additional programs and configs
should be easily rebuilt/restored from CVS or similar.  As to the data,
and DATA ONLY, backups should be safe.

G'luck,
Peter

-- 
I am jealous of the first word in this sentence.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message