Re: '(no
dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk) writes:
> > I can easily agree with the above, emphasizing the "if" clause on top
> > of it. You do not want to wipe away your computer and spend a good
> > amount of time rebuilding it unless you _believe_ it has been rooted.
> > That's why you unplug it (to begin with) and carefully check the
> > contents of its hard disk(s) using a known good system, possibly using
> > another computer altogether to do the check.
> >
> > THEN you wipe the compromised system away and reinstall it...
Bootable CDs are jolly useful for this.
> "I can easily agree with the above, emphasizing the "if" clause". ;) If
> you're good at hunting down r00tkits, and the server is not critical,
> then yes. Besides, it's a good learning experience. If you want the
> server back on-line ASAP, wipe and reinstall is usually faster.
One possible compromise, that should probably be happening anyway: take an
archive copy for your forensics and/or as a last-minute backup before the
wipe. That can probably be done quickly enough to fit the wipe & reinstall
route.
~Tim
--
That morning dawn, with no regrets |piglet@stirfried.vegetable.org.uk
We stood in line, we laughed |http://spodzone.org.uk/
In silhouette |
Reply to:
- References:
- Re: '(no
- From: Petro <petro@auctionwatch.com>
- Re: '(no
- From: Giacomo Mulas <gmulas@ca.astro.it>
- Re: '(no
- From: dmaziuk@yola.bmrb.wisc.edu (Dimitri Maziuk)