amos.shapira at gmail.com
Fri Nov 30 01:26:00 UTC 2007
On 30/11/2007, Ross S. W. Walker <rwalker at medallion.com> wrote:
> Find out how they got in and make sure that hole is fixed.
> Do an rpm verify on all installed packages (excluding configs), reinstall
> the rpms that fail the verify.
> Find all binaries that are not accountable in rpm and nuke them.
> Harden your host with selinux and audit, keep audit logs of all changes to
> binary files and essential configs and make sure the audit logs are
> Keep an eye on the system for a while to make sure you haven't missed
> Keep LVM snapshots of your OS LVs.
I'd Frank Cox' - you can't trust anything on the system now (e.g. how can
you be sure that the rpm, bash, ls, ps binaries and various kernel modules
haven't been replaced to hide some processes and files? That the boot loader
haven't been tweaked to run some snooper or who knows what?)
The only benefit of investigating the current system is in learning what
went wrong, report bugs and maybe change configuration in the reinstalled
system, but other than that you shouldn't allow one bit of it to touch a
CPU, so to speak.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the CentOS