what to do when you've been rooted
aqua at atlantic.devin.com
Sat Jan 20 17:48:40 PST 2001
Just speaking generally, it's often quicker to do a reinstall than run down
all of the avenues after a compromise -- that goes for most systems, UNIX and
otherwise. If you haven't done much customization other than stuff for your
own use (that is, stuff in your homedir), you can back up /home, reinstall,
and restore /home. There are some trust issues in /home also, if you made
executables for yourself in there, but they're less common targets.
Otherwise, find the rootkit and what it changed. After a root compromise the
system is untrustworthy -- including the kernel's reporting of what's actually
on the system. So boot off a write-protected rescue floppy or stick the drive
in the machine to do the sanitizing.
Devin \ aqua(at)devin.com, 1024D/E9ABFCD2; http://www.devin.com
Carraway \ IRC: Requiem GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
More information about the talk