On Sat, April 9, 2005 11:04 pm, Phil Brutsche said:
Chris Mauritz wrote:
That is absolutely the way to handle a hacked machine. Unless you've got MD5 fingerprints of each file on the system (a la tripwire), there is no way of knowing where the naughty people may have stashed future surpises for the original poster.
And even then you need to have those fingerprints on RO media and verify them off-line (relative to the machine's normal state) such as from a bootable rescue CD.
If you can aford the time, if you have not already, you need to determine how the hacker gained access, otherwise, when you re-install your OS and applications again, you may well get hacked all over again.
Having Tripwire, etc., may be useful for determining what files were changed, but I'd never rely on a host integrity system to 'recover' a system. Always re-install to have a clean system. You'll be much better off.
Just my 2cents. :)
~Dan