On Sun, Feb 06, 2005 at 12:40:55PM -0500, Michael Marsh wrote: > On Sun, 6 Feb 2005 17:48:32 +0100, DI Peter Burgstaller > <[EMAIL PROTECTED]> wrote: > > I'm considering taking it back online with a 2.4.29-grsec-hi, what do > > you guys think? > > You were rooted, you should reinstall. It's not worth risking that he > left something that you didn't find.
I see no evidence at all of being rooted, or even hints thereto. Yes, the backup account was compromized. It looks like there were quite some security measures in place, try to look hard for any attempt to kernel exploit or otherwise local exploit, and think about what files this backup account had access to. Of course, importance of the system matters too, if you were the NSA or something, I'd definitely reinstall, however, if you're not THAT paranoid, I think you can do with locking down backup account, checking all files writeable by backup (all files with recent ctime?), and places like /var/tmp, /tmp, etc. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
