At 05:30 PM 8/30/2001 +0800, you wrote:
>kasi hindi namin alam kung baka napasok na ito.
>and someone has left a sniffer o kung ano man.
>
>is reformatting it the only way to secure it?
>is there a tool that can check for sniffers?
Reformatting will make sure that everything will be "fresh" after another
install. IMHO, that's the only way you can be sure that the machine is
"sniffer-free".
You can of course go through the tasks of identifying which are the open
ports, which are the running programs, which are suid-root programs, blah
blah, and close whichever that are not supposed to be running. But if a
machine has been compromised (or you think it has been - depends on your
level of paranoia, i guess), you'd never know (actually there is a way,
like comparing filesizes between a "suspected" binary with a
trusted/newly-installed binary) that the program that you are using for
sniffers IS a compromised version as well (happened to me a couple of times
already, doing a ps or a netstat didn't show anything strange -- but of
course, those programs were hacked also)
So, when in doubt, back-up data files, setup a new box, configure, and
most importantly, _secure_ the new box (install tripwire, portsentry, lids
... the usual, see previous threads for more info).
HTH
Froilan Mendoza
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
