Yes, a can of worms... But general direction would be nice...

Alex Esplin alex.esplin at gmail.com
Wed Jul 15 09:36:06 MDT 2009


On Wed, Jul 15, 2009 at 09:20, Andrew McNabb<amcnabb at mcnabbs.org> wrote:
> On Wed, Jul 15, 2009 at 12:34:10AM -0600, Gabriel Gunderson wrote:
>> On Tue, Jul 14, 2009 at 7:49 PM, Scott Morris<scottmorris at suseblog.com> wrote:
>> > When you have been hacked:
>>
>> I don't mean to be a downer, but I've got bad news... The only thing
>> to do if you've already *been hacked* is re-install and rebuild from
>> trusted sources.  Really, they've out smarted you once, are you going
>> to give them another chance?
>>
>> Well, I guess if you had md5/sha1 sums (that you can trust) of every
>> file on your system and you're willing to go file-by-file and verify
>> them when mounted on a trusted system (*not* the one that was hacked),
>> then, maybe, you could sleep again at night knowing all is well.
>
> Even then, the kernel could be modified to lie about the contents of the
> files.  You really can't trust anything.

Yeah, if you have physical access to the box, there's no better
"un-hack" mechanism than a clean reinstall. It's fairly trivial to
replace common utilities with malicious ones once they've broken in.

>
> I highly recommend having your own kickstart script and/or postinstall
> script.  There should be a little script that installs all of the
> packages that you need and checks out config files from a Git
> repository.  This makes it really easy to recover from problems, whether
> they come from hacking, hardware failure, or mistakes.

+1 to this. After agonizing for way too long about what packages I've
been using and getting my config files all set up happily after a
reinstall, creating a git repo for my config files and a package list
that can be read by a script is a real life-saver.


-- 
Alex Esplin



More information about the PLUG mailing list