what to do when you've been rooted

Devin Carraway aqua at atlantic.devin.com
Sat Jan 20 17:48:40 PST 2001


Just speaking generally, it's often quicker to do a reinstall than run down
all of the avenues after a compromise -- that goes for most systems, UNIX and
otherwise.  If you haven't done much customization other than stuff for your
own use (that is, stuff in your homedir), you can back up /home, reinstall,
and restore /home.  There are some trust issues in /home also, if you made
executables for yourself in there, but they're less common targets.

Otherwise, find the rootkit and what it changed.  After a root compromise the
system is untrustworthy -- including the kernel's reporting of what's actually
on the system.  So boot off a write-protected rescue floppy or stick the drive
in the machine to do the sanitizing.

-- 
Devin  \ aqua(at)devin.com, 1024D/E9ABFCD2;  http://www.devin.com
Carraway \ IRC: Requiem  GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++



More information about the talk mailing list