On Wed, 10 May 2000, Chrissy LeMaire wrote:
hey all, Ive got a friend that possibly has a hacked machine.. and has recently purchased 6.4. Does he have to format the drive and start from almost scratch or will just Updating the system take care of the problem?
thanks much, Chrissy
Just updating the system and forgetting about the cracker is probably not the best idea. First, this will not take care of cracked user accounts, e.g. by .rhosts files in user home directories. Second, you will lose all evidence of the hack if you do not back up a significant part of the system prior to reinstalling. If you have no clue how the cracker might have broken into the system you will probably end up will a similar bad default configuration in the newly installed system. My point is that you may learn a lot from a hacked system and be prepared the next time someone wants to get into your system. Take your time to investigate the system logs and look for installed root kits (e.g. by examining suspicious text strings in system binaries, like ps, ls, netstat, lsmod, find etc. and modified init scripts, by looking for anomalous accounts in passwd, hidden dot-dot-blank directories ...). Or you might even consider backing up your system, installing a neat kernel module to hide your own packet sniffer, logging anomalous network traffic to another host and just letting the cracker have fun for a while. On the other hand, most people simply do not have the time to do all that (though it _can_ be fun and interesting). In this case, installing the system from scratch (including formatting the drive) is the only way to be sure you don't leave any backdoors open. Cheers, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster, Germany E-Mail (work): lewelin@uni-muenster.de