Date: 23 Nov 2003 18:06:12 -0500 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: "Cordula's Web" <cpghost@cordula.ws> Subject: Re: Monitoring a file? Message-ID: <441xryznvf.fsf@be-well.ilk.org> In-Reply-To: <200311231701.hANH1ipd098716@fw.farid-hajji.net> References: <200311222258.hAMMwApd092388@fw.farid-hajji.net> <16320.5175.69241.145102@jerusalem.litteratus.org> <20031123103544.GD9494@happy-idiot-talk.infracaninophile.co.uk> <200311231701.hANH1ipd098716@fw.farid-hajji.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Cordula's Web" <cpghost@cordula.ws> writes: > I've finally found the culprit with a traditional method: > * md5 (binary from an uncompromised machine) on all files > * reinstalling from scratch (not buildworld, but really > installing from FTP) > * md5 again and diff. [snip] > Ugh... system clean again at last. :) You can't be sure. The attacker probably put an suid binary somewhere besides the normal system binaries, in which case it's still there and you may still be vulnerable. When you know you've been hacked, you need to wipe the disk and *really* reinstall from scratch. And be very careful about what you restore from backups, too.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?441xryznvf.fsf>