From owner-freebsd-security  Fri Apr 20  4:42:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 2151137B424
	for <freebsd-security@FreeBSD.ORG>; Fri, 20 Apr 2001 04:42:22 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA15820;
	Fri, 20 Apr 2001 04:41:33 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda15818; Fri Apr 20 04:41:30 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3KBfNT03011;
	Fri, 20 Apr 2001 04:41:23 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdxa3009; Fri Apr 20 04:41:01 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.3/8.9.1) id f3KBf0D10127;
	Fri, 20 Apr 2001 04:41:00 -0700 (PDT)
Message-Id: <200104201141.f3KBf0D10127@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdn10118; Fri Apr 20 04:40:06 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: schubert
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Peter Pentchev <roam@orbitel.bg>,
	"David G. Andersen" <dga@pobox.com>,
	Kris Kennaway <kris@obsecurity.org>,
	fukuda shinichi <fukuda@alles.ad.jp>, freebsd-security@FreeBSD.ORG
Subject: Re: unknown process 
In-reply-to: Your message of "19 Apr 2001 12:37:10 +0200."
             <xzp66g1npk9.fsf@flood.ping.uio.no> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 20 Apr 2001 04:40:06 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <xzp66g1npk9.fsf@flood.ping.uio.no>, Dag-Erling Smorgrav 
writes:
> Peter Pentchev <roam@orbitel.bg> writes:
> > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote:
> > > It's not either/or.  The only acceptable solution to this situation is
> > > a complete reinstall from a trusted source (e.g. original CD set).
> > ..and during the install, examine your backups
> 
> A backup is not a trusted source.  Never reinstall from backups after
> a compromise.  Restoring user data from backup is acceptable as long
> as you are certain that none of that data is executable.

Even then you cannot trust user data because there is no way to know 
whether it has been modified.  For example if the user data is 
financial you MUST hire an auditor to verify that the data is correct.

If you can ABSOLUTELY establish when the compromise occurred, restoring 
user data and the rest of the system from that point would be 
acceptable.  However, in most cases you will not be able to ABSOLUTELY 
establish when the compromise occurred, so you have to suspect 
ABSOLUTELY everything on the machine.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message