On Sunday 05 February 2006 06:52, [EMAIL PROTECTED] wrote: > Yay, more of Alvin's nonsense! > >> personally, it is 1000x easier to fix and remove the security >> problems than it would be to start from step -1 reinstalls > > Uh no, it's not if you do it properly. > >> ... and spend >> another week or month to harden and verify all the all configs >> and user info ( i say, if you're "doing it right", it will tke you >> about 3 days to a week to harden the new box and verify it ) > > Personally I spend about 2-3 minutes doing this. It's called > regular backups of /etc and other key locations of configuration > data. Pull a copy prior to the compromise. > >> when you reinstall, you still cannot be guaranteed that the trojans >> is not going to be restored by your reinstalls and restores from >> backup > > That's why, dundunDUNNNNN, he said "copy only data, not > programs." Backing up data, not programs, means the chances of you > getting anything malicious in there is extremely low. In fact I dare > say nonexistant > >> - how can you guarantee that the trojans is not in the backups ? > > Backup data areas, not areas in the path? Just a thought. > >> the trick is that you know how to verify the binaries, the libraries >> and the directory tree ... and can find what is NOT supposed to be >> there > > Which is extremely hard to do on a compromised system where the > basic tools you rely on to detect such things have been modified to > hide the very things you're looking for. > What he said, amen amen. I did clean up a rootkit once, years ago, but it took about 3 days to check everything. Fortunately, the perp DIDN'T put in a new chattr, it turn out to be a very valuable tool to find his crap.
A re-install is quicker, then get older backups from amanda's stash. >-- >Steve Lamb -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]