** Reply to message from Roman Drahtmueller <draht@suse.de> on Tue, 2 Jul 2002 20:18:08 +0200 (MEST) Roman wrote : **> But isn´t it somewhat naive to believe this machine is usable after **> this? I mean, he wrote about a compromised machine (rootkit). **> I would not trust this machine at all, and suggest a completely new **> install. ** **Heh, that's something entirely different, yes. **Basically, if you run a rescue system and mount the filesystem under a **different kernel, you can probably save the installation and continue **running it, provided you have checksums of all files or a tripwire **database. Hi gang.. pardon me for jumping in here .. but isn't this a question that arises often enough that one *should* have secure DATA backups , and , indeed, records of the way the box is set up . That way, in the event this unhappy situation occurs again ; there is no question of what to do... take the comprimised box down, immediately . Offl the internet ANd disconnect from your intranet. IF you are in an office or other situation where you need your boxes up "live" all the time, you probably should have some sort of backup box available anyway... ;-) But it seems pretty obvious; from a casual perusal, of message boards where the haxsors like to play, they aren't content w/ getting just one box in a network ... leaving a rootkited box up and connected to the rest of your intra net most likely means you will be doing reinstalls on all your boxes, you'll just be doing it sequentially .. <sigh> That is an even bigger PITA , no? It would be nice to have a template to get out of these unfortunate situations. But circumstances vary so much a template would have only the most basic information. ;-/ For Offices ( large or small ) taking a box down or offline , is a chaotic event for all concerned. It is a good thing we have so many folks here who actually care about security <G> just my $02 j afterthought COFFEE.EXE missing - insert cup and press any key ...