larry price said the following on 05/11/2005 07:25 PM:
On 5/11/05, Jim Beard <[EMAIL PROTECTED]> wrote:
[cut]
Any other advice?
Change keys and passwords, revoke any certificates for which the key was available on the machine. Check the rest of your network.
use mtree or or something similar to compare the hashes of system binaries. (http://md5deep.sourceforge.net/ can check external hash sources which can be effective for binary distributions like RedHat)
If the attacker was thorough, you will not be able to trust *any* tools run on this system. Including mtree or cmp. The only safe approach is a fresh system install.
also do a few broad spectrum sweeps of your network traffic using ethereal or ntop and check out anything weird, since the fact that one of your machines was compromised raises the risk for the rest of your network.
Make sure you get enough sleep, since lack of sleep will affect your judgment ;-)
Good idea. -- Allen Brown work: Agilent Technologies non-work: http://www.peak.org/~abrown/ [EMAIL PROTECTED] [EMAIL PROTECTED] Anything worth doing is worth overdoing. --- A.B.
_______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
