Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

[elmer@xxxxxxxxxxxxxx]

On Tue, 27 Feb 2001, Roger Dunk wrote:

} to use the restore CD. Furthermore, when you know what rootkit has been used
} on your machine, you can usually find out exactly what has been affected and
} replace the necessary files. I have cleaned several machines of the t0rn
} rootkit, and haven't had any problems since, so I think it's definately
} worth a try.

	This may be true for someone that knows what they are doing, but
I've also noticed a few postings from people who claim to have been
hacked again shortly after cleaning their server. They could has
just as easily missed a backdoor. In situations such as this where
the level of technical expertise is low suggesting anything other
than the best way can and just might cause more problems than the
right way of fixing it would have.

	The reality of the situation is this: unless a full and
complete audit of the box is done by someone that really knows what
they are doing there is no way way to be sure that all the backdoors
have been found.

	I've only cleaned two boxes so the stats cannot be taken to
the bank, but the results are clear. One box was easy to clean
although the unhack.pl script would have missed the additional
modified SSHD and the other box had so many tricks installed
that re-installing from a CD was the only viable option even though
recomending that they do so cost me a rather nice fee.

	I'm certainly not looking for an argument but I simply don't
think that suggesting that someone who isn't comfortable and quite
handy at the shell prompt can successfully unhack their server is
something we ought to be doing.