On Wed, 23 May 2001, Jeffrey Wong wrote:
>
> > it was bind + tOrn ROOTkit exploit, before april 1 i was using bind
> >8.2.2-P5 and the fookin WORM got me.
>
> >I did ugrade BIND and reinstalled some packages like inetd,
> >net-tools...etc. to totally erased all trojan files.
>
> You only reinstalled some package?!!!
>
> I am a little bit paranoid about these things, you should reinstall
> everything from scratch.
>
I agree. Even if these are script kiddies they have ways of hiding
backdoors here and there. Never be so sure that you got everything until
you've done a THOROUGH search. There could be setuid programs lurking in
hidden corners, configuration file changes that make services vulnerable,
key system programs like login, su, etc... modified to create backdoors.
It's often infeasible to check for everything, so best practice would be
to back up all important information (database records, user data, etc.)
reinstall, and restore. And be sure that EVERYONE changes their
passwords!
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311
Programmer, InterdotNet Philippines +63(917) 4458925
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
