From owner-freebsd-security@FreeBSD.ORG Sat Jun 12 23:54:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32C1B16A4CE for ; Sat, 12 Jun 2004 23:54:43 +0000 (GMT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E64143D1D for ; Sat, 12 Jun 2004 23:54:40 +0000 (GMT) (envelope-from remko@elvandar.org) Received: from [10.0.3.124] (aragorn.lan.elvandar.intranet [10.0.3.124]) by mail.elvandar.org (Postfix) with ESMTP id 960F8106878; Sun, 13 Jun 2004 01:54:07 +0200 (CEST) Message-ID: <40CB97A0.3040407@elvandar.org> Date: Sun, 13 Jun 2004 01:54:08 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 To: Peter Jeremy References: <019101c45072$a8b9cfe0$3501a8c0@pro.sk> <20040612130307.2c4483cb.thib@mi.is> <20040612212926.GL1596@cirb503493.alcatel.com.au> In-Reply-To: <20040612212926.GL1596@cirb503493.alcatel.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org cc: freebsd-security@freebsd.org cc: Thordur Ivar Subject: Re: [Freebsd-security] Re: Hacked or not appendice X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2004 23:54:43 -0000 Hey Peter Jeremy wrote: > > [Please wrap your mail before 80 characters] > > Why would you trust the toolchain on a potentially hacked machine? > There's an old paper by Ken Thompson that dicusses patching the C > compiler to recognize the login sources and re-introduce a backdoor - > even it was removed from the login sources. > > You would be much better off booting a fixit CD-ROM and using that > rather than trusting anything on the potentially hacked system. Indeed, one should make a backup copy (if possible) of the potentially hacked computer (Drive) and take the machine offline. Then insert the backupdisk in a other pc, (or the same, with the original hd stored safely) and startup your Live-cd kit (which can be a freebsd version from cd, or linux). Make sure that the tools necessary are on the live cd;-) and to forensics (tct might help (The Coroners Toolkit).. After finding out what happened, format the disk, and reinstall from scratch, be hostile to every config file and stuff you backupped, because you might not be able to tell when the potential hack took place..... Cheers :-) > -- Kind regards, Remko Lodder |remko@elvandar.org Reporter DSINet |remko@dsinet.org Projectleader Mostly-Harmless |remko@mostly-harmless.nl