On 5/12/05, Allen C Brown <[EMAIL PROTECTED]> wrote: > > > larry price said the following on 05/11/2005 07:25 PM: > > On 5/11/05, Jim Beard <[EMAIL PROTECTED]> wrote: > > [cut] > > >>>Any other advice? > >>> > > > > Change keys and passwords, revoke any certificates for which the key > > was available on the machine. Check the rest of your network. > > > > use mtree or or something similar to compare the hashes of system binaries. > > (http://md5deep.sourceforge.net/ can check external hash sources which > > can be effective for binary distributions like RedHat) > > If the attacker was thorough, you will not be able to trust > *any* tools run on this system. Including mtree or cmp. The only > safe approach is a fresh system install. > I wasn't thinking in terms of running from the compromised system, and i guess i should have been more clear and specified the boot from a rescue disk or other liveCD to create the forensic context.
"Assume all your assumptions are wrong." -- http://Zoneverte.org -- information explained Do you know what your IT infrastructure does? _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
