Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 20 Apr 2001 04:40:06 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Dag-Erling Smorgrav <des@ofug.org>
Cc:        Peter Pentchev <roam@orbitel.bg>, "David G. Andersen" <dga@pobox.com>, Kris Kennaway <kris@obsecurity.org>, fukuda shinichi <fukuda@alles.ad.jp>, freebsd-security@FreeBSD.ORG
Subject:   Re: unknown process 
Message-ID:  <200104201141.f3KBf0D10127@cwsys.cwsent.com>
In-Reply-To: Your message of "19 Apr 2001 12:37:10 %2B0200." <xzp66g1npk9.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <xzp66g1npk9.fsf@flood.ping.uio.no>, Dag-Erling Smorgrav 
writes:
> Peter Pentchev <roam@orbitel.bg> writes:
> > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> > > It's not either/or.  The only acceptable solution to this situation is
> > > a complete reinstall from a trusted source (e.g. original CD set).
> > ..and during the install, examine your backups
> 
> A backup is not a trusted source.  Never reinstall from backups after
> a compromise.  Restoring user data from backup is acceptable as long
> as you are certain that none of that data is executable.

Even then you cannot trust user data because there is no way to know 
whether it has been modified.  For example if the user data is 
financial you MUST hire an auditor to verify that the data is correct.

If you can ABSOLUTELY establish when the compromise occurred, restoring 
user data and the rest of the system from that point would be 
acceptable.  However, in most cases you will not be able to ABSOLUTELY 
establish when the compromise occurred, so you have to suspect 
ABSOLUTELY everything on the machine.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104201141.f3KBf0D10127>