[lug] Ancient RH box hacked, which packages must be updated?
Jeff Schroeder
jeff at neobox.net
Thu Mar 25 17:25:59 MST 2004
Bear asked:
> Does anyone know which packages
> *must* be updated because of known exploits, or should we consider
> it a lost cause and put all of our effort into migrating to the
> new platform?
I think a good general rule is that if you've been hacked, REBUILD.
Unless you're running Tripwire or something-- and have recent
signatures built-- it's going to be extremely difficult to hunt down
files that have been compromised. Even then, you'll need to track down
"known good" versions and replace them one at a time. Whee!
Updating system software probably won't alleviate the problem, since
many of the compromised files will probably be outside the scope of
your update anyway.
I had a client get hacked, and they wanted me to just "clean up" the
machine... I told them it was best to simply wipe the drive and start
from scratch. It's simply not worth the time and effort; you'll spend
less time (and have fewer headaches) if you assume the server is beyond
repair.
$0.02,
Jeff
More information about the LUG
mailing list