On Mon, 22 Dec 2003, Brian Eckman wrote:
> Schmehl, Paul L wrote: > Hmmm. Well, if the execute bit isn't set, then I'd assume it can be > considered relatively safe. If the attacker can later find a way to > chmod it and then execute it with the privliges needed to make it > harmful, then I imagine that they could find other ways of compromising > your machine as well. > The attacker could have also added a new user to your oracle database, so I see where Paul is coming from. Restoring actual data from a known good copy is a better idea. I suspect that most people keep a backup copy (raw dd) of a compromised system for the feds and a copy for themselves to explore. Other than that nothing can be trusted from the compromised system. -- Larry C$ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
