On Apr 12, 2006, at 7:56 AM, Stewart Stremler wrote:
begin quoting Andrew Lentvorski as of Wed, Apr 12, 2006 at
12:00:50AM -0700:
[snip]
A compromised system *always* requires "nuking from orbit" even if
it is
Unix. Once a system is "compromised", there is no way to tell
what is
and isn't trustworthy anymore.
"Cold boot from trusted clean media."
And it's a good idea to make sure that you're using Read Only media,
too, lest you screw up.
I've been using the Gentoo LiveCD 2006.0 (primarily for it's inbuilt
support for LVM/EVMS) when doing forensics and data extraction from
compromised hosts. Booting with the "nox" option and mounting
filesystems with -oro,noatime,noexec,nodev is recommended, too.
Gregory
--
Gregory K. Ruiz-Ade <[EMAIL PROTECTED]>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
