[lug] Ancient RH box hacked, which packages must be updated?

Jeff Schroeder jeff at neobox.net
Thu Mar 25 17:25:59 MST 2004


Bear asked:

> Does anyone know which packages
> *must* be updated because of known exploits, or should we consider
>   it a lost cause and put all of our effort into migrating to the
> new platform?

I think a good general rule is that if you've been hacked, REBUILD.  
Unless you're running Tripwire or something-- and have recent 
signatures built-- it's going to be extremely difficult to hunt down 
files that have been compromised.  Even then, you'll need to track down 
"known good" versions and replace them one at a time.  Whee!

Updating system software probably won't alleviate the problem, since 
many of the compromised files will probably be outside the scope of 
your update anyway.

I had a client get hacked, and they wanted me to just "clean up" the 
machine... I told them it was best to simply wipe the drive and start 
from scratch.  It's simply not worth the time and effort; you'll spend 
less time (and have fewer headaches) if you assume the server is beyond 
repair.

$0.02,
Jeff



More information about the LUG mailing list