Yes, a can of worms... But general direction would be nice...

Sasha Pachev sasha at
Wed Jul 15 12:23:31 MDT 2009

Thoughts on reinstalling vs. repairing a hacked system. True, if
you've been hacked theoretically anything is possible. But I have
noticed that our kind, computer geeks, have a mental disease of sorts
- the inability to differentiate between probable and possible.
Possibly because we see ways to turn the possible into reality with a
few lines of code. We will spend a lot of time taking care of the
possible with no regard as to how probable that is.

If you run a small site and you've been hacked, of course anything is
possible, but what is most probable is that some automated bot
exploited a known security weakness and created a nest for itself
without changing your critical data except maybe inserting some
malicious code into your live web application. They would not be so
smart as to do anything that requires the specific knowledge of your
application, such as modify your data tables in a way that would be of
use to them and not obvious to you. Think something that is portable
across sites, you are rarely important enough for a hand-crafted
site-specific hack unless you are Google or Yahoo or somebody big. If
you replace the system files and the application code (hope there is
another copy of it somewhere) you are usually OK. Even when you do not
have a backup for the application, load your main application page,
debug the weird behavior, track it down, find/grep for the trouble in
the tree, remove it manually and you are good to go.

As we have learned through the bad experiences some of us had on this
list, doing something conceptually correct could really tick off your
client when he loses the data he values even when that data has been
theoretically invalided through a break-in.

Sasha Pachev
AskSasha Linux Consulting

Fast Running Blog.
Run. Blog. Improve. Repeat.

More information about the PLUG mailing list