On Mon, Feb 07, 2005 at 12:35:45AM +0100, martin f krafft wrote: > Once an attacker is on the system, you cannot be sure anymore that > you can track his/her actions down. Sophisticated root kits exist to > cover all (!) traces.
I co-administer a system with ~ 250 users, a significant part of them I don't know very well personally, and really, I don't rule out some of them might try to do some cracking, of, more likely, has such a shoddy password policy or infected windows system that their account will be used to. Should I now reinstall these systems daily? I see not much difference, except that in this case, there really was someone with evil intentions on an account, but as said already in this thread, what you see is only part of what happens. Especially on a busy multiuser system, suspected activity might go unnoticed. In both my case, and the thread starter's case, a normal user account might or was definitely in the hands of someone malicious. In both cases, no evidence whatsoever was there that there was even an attempt at becoming root. My point was and is, user account != root. Any such hole is would be dangerous, but if you cannot somewhat reasonably assume this, you are only paranoidedly going to reinstall systems over and over again. My final remark in this thread about this specific case: If it was merely a backup MX, indeed, just reinstall, as the only valuable thing was probably the mail queue (harmless) and the mail config (probably trivial or at least trivally checkeable). If you reboot from CD-ROM and fdisk & mkfs the harddisk from start, all this hidden files in filesystems etc is just FUD. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
