Gideon Lenkey wrote: > On Tue, 19 Feb 2002, Bryan Andersen wrote: > > /* Make a backup. wipe and reload. Then restore your data only. > /* It has been rooted. Telnet should not be doing that at all. > > You really don't have to wipe and reload to recover from this root kit. > It really doesn't change much. See the instructions in the archive: > > http://online.securityfocus.com/archive/75/249597 Those instructions may be sufficient for cleaning up the residue of the *attack*, but because it's a root kit, they could have done anything to the system. Unless you know _exactly_ what they've done (which is highly unlikely unless you're running full auditing), standard practice after any root compromise should be to reinstall and restore from backup. Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 24 2002 - 20:59:21 PST