From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OiZo7-0006kW-WB for garchives@archives.gentoo.org; Mon, 09 Aug 2010 21:22:56 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54FA1E0EC3; Mon, 9 Aug 2010 21:22:45 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 1C67EE0F0B for ; Mon, 9 Aug 2010 21:22:44 +0000 (UTC) Received: by wwi17 with SMTP id 17so129850wwi.10 for ; Mon, 09 Aug 2010 14:22:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=fzvXCSMSYum+PNWwleV2pr5bY0DFESU2oiIN+7eeb3s=; b=NV11tznkEyj7CmoaNf6h//gWf0NSWfRLXJQcWzhPElpBsX9BVB0ouFQv8HCMElocvu u0UXcEwQQbZIOKjsSpDUGepBHSLjKlZABbQ4eWY+07L+slI7ldLNhqJYDHS2O/1xU9Wd Fb+OzEkrDc40miVVAQqdh05pRGCjs7KInhUbE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=eMBNzZPZhqPWx4T7JnYdR15Yu9kyu1tM37H4bZJFOqVhLyqAqoFwTFxzjVDlKy2ZjQ HhrQ1W1MFCD8ot616cuZBujW8ocZpDf6FqCBY050loPLrEgkhTe0p221GvVL202c2TOL IMpNTSQ4XLrB7BFrORC1OgaO6aqwDKeA4P9ZA= Received: by 10.216.30.10 with SMTP id j10mr3162316wea.8.1281388964141; Mon, 09 Aug 2010 14:22:44 -0700 (PDT) Received: from (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id w29sm2904706weq.42.2010.08.09.14.22.42 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 14:22:43 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice Date: Mon, 9 Aug 2010 22:22:20 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.34-gentoo-r1; KDE/4.4.5; x86_64; ; ) References: <4C606441.8070201@gmail.com> In-Reply-To: <4C606441.8070201@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2469924.hnmNn6PsuQ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201008092222.40931.michaelkintzios@gmail.com> X-Archives-Salt: 6927ef21-7881-493a-b98f-a375a035a6c6 X-Archives-Hash: 7e8ab04241f952ba0c94700cc28bf68e --nextPart2469924.hnmNn6PsuQ Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Monday 09 August 2010 21:25:37 Dale wrote: > Robert Bridge wrote: > > On Mon, Aug 9, 2010 at 8:09 PM, Mick wrote: > >> There have been discussions on this list why sudo is a bad idea and su= do > >> on *any* command is an even worse idea. You might as well be running > >> everything as root, right? > >=20 > > sudo normally logs the command executed, and the account which > > executes it, so while not relevant for single user systems, it STILL > > has benefits over running as root. > >=20 > > RobbieAB >=20 > I don't use sudo here but I assume a admin would only know that a nasty > command has been ran well after it was ran? Basically, after the damage > has been done, you can go look at the logs and see the mess some hacker > left behind. For me, that isn't a whole lot of help. You still got > hacked, you still got to reinstall and check to make sure anything you > copy over is not infected. >=20 > Assuming that they can erase dmesg, /var/log/messages and other log > files, whose to say the sudo logs aren't deleted too? Then you still > have no records to look at. >=20 > I agree with the other posters tho, re-install from scratch and re-think > your security setup. That's the problem with any compromise worth its salt, all logs will be=20 tampered to clear traces of interfering with your system. Monitoring netwo= rk=20 traffic from a healthy machine is a good way to establish suspicious activi= ty=20 on the compromised box and it also helps checking for open ports (nmap, or= =20 netcat) to find out what's happening to the compromised box. =2D-=20 Regards, Mick --nextPart2469924.hnmNn6PsuQ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) iEYEABECAAYFAkxgcaAACgkQVTDTR3kpaLaTtACgsLtmpnzmEZjd0Bw1WDjVVoze piwAoM5vtQFmfYuaexBfGtD5ETuZ8MOj =I7Gy -----END PGP SIGNATURE----- --nextPart2469924.hnmNn6PsuQ--