[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] chkrootkit output show possible ambient
- Subject: Re: [cobalt-users] chkrootkit output show possible ambient
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Wed Nov 20 08:52:00 2002
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
"alan@" <alan@xxxxxxxxx> wrote:
> I have been researching a little through the archives, and am considering
> whether to go through the suggestions in this posting :
> http://list.cobalt.com/pipermail/cobalt-users/2002-November/081008.html
I posted that so I'll comment.
> I have deleted /usr/lib/.ark? but I am not sure about the posters
> instruction to delete /dev/ptyxx
> ( is ptyxx pty with 2 wildcards or an actual file ptyxx ? )
It's ptyxx - the alphabet letter, not a wildcard.
> I guess, what I am trying to get away with, is not to have to wipe the
disk
> and start again.
That would be the safest route. If you have the proper tools, logs and
skills you can do a full diagnostic and be reasonably comfortable you
removed all rootkits, replaced all modified binaries, removed all rogue
programs and plugged any holes (including changing every password currently
on the server, a must no matter what), but to be nearly certain requires a
lot of time and skill, especially if the hacker took steps to cover his/her
tracks. In my experience, it's usually quicker to restore from the OS
restore CD, setup a security implementation and restore from known clean
backups, but if that's not possible do the best you can without a full
restore.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/