what to do when you've been rooted
Rick Moen
rick at linuxmafia.com
Sat Jan 20 20:13:21 PST 2001
begin Bob Blick quotation:
> It's running a redhat 6.2 system straigt off the cd. I know the hole was in
> wu-ftpd, but I need to know which packages I should reinstall to make sure
> I have cleaned out the files typically overwritten by a root kit.
(1) Secure your data files. (2) Recreate _all_ executables and
configuration files from trusted sources. All -- and I am not kidding.
(3) Restore your data files.
> Any links?
Start with http://www.cert.org/nav/recovering.html
After you rebuild, do whatever it takes to (1) lower your security
exposure by removing unneeded software after a careful study of your
system, and (2) stay current on whatever remaining software still poses
security exposures.
By the way, I consider wu-ftpd to have _way_ too many security problems.
Thus:
http://linuxmafia.com/pub/linux/security/ftp-daemons
http://linuxmafia.com/pub/linux/security/ssh-clients
> Be warned, everybody, if you have RH 6.2 on a machine, it is a prime
> target.
Not inherently: Only if badly administered (and sorry about that salt
rubbed into your wound, but it's the truth).
--
Cheers, "Because film is the pre-eminent American art form. You don't hear
Rick Moen people saying 'You know, this movie would make a really great epic
rick at linuxmafia.com poem.'" -- Orson Scott Card, book signing, 7 Jan 2001
More information about the talk
mailing list