From owner-freebsd-security Thu Jul 12 15:25:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-73.dsl.lsan03.pacbell.net [63.207.60.73]) by hub.freebsd.org (Postfix) with ESMTP id 45E3F37B401 for ; Thu, 12 Jul 2001 15:25:48 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CCC5966DD9; Thu, 12 Jul 2001 15:25:46 -0700 (PDT) Date: Thu, 12 Jul 2001 15:25:46 -0700 From: Kris Kennaway To: "www.slashx.net" Cc: security@FreeBSD.ORG Subject: Re: FreeBSD 4.3 local root Message-ID: <20010712152545.B20322@xor.obsecurity.org> References: <001801c10b0e$1976d370$97625c42@alexus> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="98e8jtXdkpgskNou" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from netbios@exodus.slashx.net on Thu, Jul 12, 2001 at 08:09:00PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --98e8jtXdkpgskNou Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jul 12, 2001 at 08:09:00PM +0000, www.slashx.net wrote: > suppose my server was intruded, would it be safe to say that a cvsup of > the most current tree, would overrwrite all bins / incase they were > backdoored? No; you need to back up any data files, wipe the system and reinstall from scratch, being careful to restore only data, not binaries. And check the data to make sure it hasn't been maliciously altered. Anything less and you can't be sure you've got every last backdoor left by the intruder. > also does anyone recommend any sort of IDS? What kind of IDS? snort is an excellent network IDS, and tripwire is fairly good for host-based IDS. Both are in the ports collection. Kris --98e8jtXdkpgskNou Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7TiPpWry0BWjoQKURArSlAKD/V2SMCfyAJFeFA74B5FEkT7yxsgCguRjZ 4qoCfL4LDuI+aWng8CC0Do4= =StOL -----END PGP SIGNATURE----- --98e8jtXdkpgskNou-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message