From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IYgCH-0000sj-7C for garchives@archives.gentoo.org; Fri, 21 Sep 2007 10:57:21 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l8LAm5nY025915; Fri, 21 Sep 2007 10:48:05 GMT Received: from poseidon.rz.tu-clausthal.de (poseidon.rz.tu-clausthal.de [139.174.2.21]) by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l8LAi1uU021454 for ; Fri, 21 Sep 2007 10:44:01 GMT Received: from poseidon.rz.tu-clausthal.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 73F712085BF for ; Fri, 21 Sep 2007 12:44:00 +0200 (CEST) Received: from tu-clausthal.de (poseidon [139.174.2.21]) by poseidon.rz.tu-clausthal.de (Postfix) with ESMTP id 593C52074FD for ; Fri, 21 Sep 2007 12:44:00 +0200 (CEST) Received: from energy.heim10.tu-clausthal.de (account wevah [139.174.197.94] verified) by tu-clausthal.de (CommuniGate Pro SMTP 5.1.12) with ESMTPSA id 26238434 for gentoo-user@lists.gentoo.org; Fri, 21 Sep 2007 12:44:00 +0200 From: Volker Armin Hemmann To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Hacked by association? Date: Fri, 21 Sep 2007 12:43:52 +0200 User-Agent: KMail/1.9.7 References: <49bf44f10709191109x58494aa3n3182cea59553d510@mail.gmail.com> <200709192201.49250.volker.armin.hemmann@tu-clausthal.de> <49bf44f10709210316i65dae73w2195e7dc95dd7e50@mail.gmail.com> In-Reply-To: <49bf44f10709210316i65dae73w2195e7dc95dd7e50@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200709211243.52624.volker.armin.hemmann@tu-clausthal.de> X-Virus-Scanned: by PureMessage V5.3 at tu-clausthal.de X-Archives-Salt: b5a227f4-61f2-4815-a5e9-2d83fca74d1a X-Archives-Hash: 1b6ec399b7c239a767d0edbabcccae42 On Freitag, 21. September 2007, Grant wrote: > > > Do I > > > need to start this thing over? > > > > yes. No tool can tell you for certain, that no malware is rampage on your > > system. netstat, ps, emerge might be hacked already. As might be md5sum > > and other tools to generate and compare ckecksums. There is only one way > > to make sure your system is clean: > > > > reinstallation > > Although I haven't found any evidence of intrusion, I've been urged > off-list to reinstall and since I'm about 4 hours early to rise this > morning I think I better. If your intruder has at least some skills and don't want to leave evidence behind, you have nearly zero chance to find any signs. That is the evil part about being 'maybe hacked'. Even with the best tools you can only say 'the hacker must be good' and not 'there was no hacker'. > > Can we go over a good plan for the transition? My main concerns are > backing up the right files and a good remote installation procedure as > it's been years since I did that. Thanks. I would tar everything up and copy the files back you really want - after checking them. Stuff from /etc, like the files in /etc/conf.d, make.conf, the files in /etc/portage and other stuff you edited, the /home tree, your database and website files, if there are any. But don't copy anything back without having a look first. Your world-file might be helpfull to spare some time. /usr/portage stuff should be nuked completly - it is so easy to replace it is not worth the risk of a hacked ebuild ... Don't forget to mkfs the partitions first before you start reinstallation. About remote installation: never done that, hopefully someone else on the list can help you with that. -- gentoo-user@gentoo.org mailing list