On Fri, 2006-10-27 at 15:00 -0600, Daniel wrote: > I have people accessing this server who don't know much about > computers and get freaked out when some thing changes. Will they > notice something has changed when they use it the first time after the > reinstall?
I wouldn't do anything if that's the case. Just try to find who's done this (their IP address is a good start) and explain your situation to him. I'm sure he'll probably understand since he works with computers and computer illiterate people also. With any luck, he might also share which other files need to be "cleaned up." If that doesn't work, you *could* try to explain to your users that you had to reinstall because you had no way to verify that the guy wasn't gathering their passwords and IP addresses as they logged onto the server. Perhaps they might understand if they knew that all their information stored on the was, for a time, in the hands of a cracker. No really, take good advice when it's offered. Preserve what evidence you can, quarantine all files until checked-out and reinstall. This is your *only* *real* option, especially if the cracker is not some script kitty and sophisticated enough to produce a "homegrown rootkit." Overlook my sarcasm. I'm genuinely sorry to hear that you've been cracked. I wish you luck. -- Gabriel Gunderson http://gundy.org /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
