what to do when you've been rooted

Bob Blick bblick at saber.net
Sat Jan 20 18:35:01 PST 2001


Thanks for the tips. 

It turns out that now there are two machines with a problem. A friend who
is setting up a new mail server for a school(to replace one that is running
on a different OS) had his compromised a week ago. His shows clear signs of
the Ramen worm, it looks like it just installed its payload and that's it.
I think on that machine he's safe to just fix what it did, especially that
machine was a painful install. Testing against the rpms on the CD should
suffice to verify.

My machine, however, was abused for the last three days. They did not use
Ramen to gain access, and definitely put in a kit of some sort, /var/log is
empty and acts like a link to /dev/null, and root has installed and been
running BitchX(certainly not me). I think that machine gets a fresh install.

Definitely any machine I have online 24/7 gets updates from now on!

-Bob



More information about the talk mailing list