On Wed, 23 May 2001, Ronneil Camara wrote:
> I totally agree with Jeff.
>
> Bind 4.9.5 is nice It's not vulnerable daw. ;p
>
>
> -----Original Message-----
> From: Jeffrey Wong [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 23, 2001 12:47 AM
> To: 'dwen '; '[EMAIL PROTECTED] '
> Subject: RE: [plug] inetd
>
>
>
> > it was bind + tOrn ROOTkit exploit, before april 1 i was using bind
> >8.2.2-P5 and the fookin WORM got me.
> >I did ugrade BIND and reinstalled some packages like inetd,
> >net-tools...etc. to totally erased all trojan files.
> You only reinstalled some package?!!!
> I am a little bit paranoid about these things, you should reinstall
> everything from scratch.
I don't agree. That's too much work! \8)
If you run an RPM based distro you can recover from a compromise..
1. checking the RPM MD5 sigs, and updating the packages of those that
failed.
2. check your file system for executables that don't belong to any RPM,
and erase all those that you find that do not belong to an RPM.
3. port scan your box (ports 1 - 65534) and make sure there are no other
open ports other than the services you provide.
4. upgrade all non-infected packages with the latest security upgrades.
So you see, running a distro like slackware will indeed require a complete
reinstall, but a distro with a decent package manager wont.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
