From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OiYv2-0002Od-HI for garchives@archives.gentoo.org; Mon, 09 Aug 2010 20:26:00 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 22F2AE0E14; Mon, 9 Aug 2010 20:25:41 +0000 (UTC) Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 03ADBE0E14 for ; Mon, 9 Aug 2010 20:25:40 +0000 (UTC) Received: by vws15 with SMTP id 15so8021292vws.40 for ; Mon, 09 Aug 2010 13:25:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=FM5YIpZbFaHsmWuk6wVNpCUZe4Xbx2SRa4z5KvBx6TI=; b=TLgbd5f+26iuZ1ZNu83XiLEpJYwPVhChvjIWylV8W3TSAo/jaDUBCSs7cBvGeyl9cA hR+ipjY1uqauWriuPK5/I0CTWxJb5Ne+nyylFSkb+PGI6KU/QsqD7M4YtXk8xSCcpgdT VE4dvcYsK/FSjxgqVnS1Uve6mDQLO7m0mzPlk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=AiLddJwSJQIe/t++rZiM3F26wGWXy2ePZb4Pr9xvzE5jYk9GbCZ3xYrYLjZN87PzHr TvhOhRQSFcGi9RmnHfrHwSfbknzpQQ3opgTIb8Gtt8mJ6dli8t29fzo44YV/E5iRqUix gZM8CCwgG3F1w6vJVekzZy8i4nzlMVfAjhSic= Received: by 10.220.62.198 with SMTP id y6mr2979200vch.80.1281385540625; Mon, 09 Aug 2010 13:25:40 -0700 (PDT) Received: from [192.168.1.2] (adsl-240-55-50.jan.bellsouth.net [74.240.55.50]) by mx.google.com with ESMTPS id e18sm1082441vcf.12.2010.08.09.13.25.38 (version=SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 13:25:39 -0700 (PDT) Message-ID: <4C606441.8070201@gmail.com> Date: Mon, 09 Aug 2010 15:25:37 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice References: <201008092009.38665.michaelkintzios@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 5c2e2100-efa1-4122-9766-34c7755494bf X-Archives-Hash: ad532851d643692e769afd21251b525d Robert Bridge wrote: > On Mon, Aug 9, 2010 at 8:09 PM, Mick wrote: > >> There have been discussions on this list why sudo is a bad idea and sudo on >> *any* command is an even worse idea. You might as well be running everything >> as root, right? >> > sudo normally logs the command executed, and the account which > executes it, so while not relevant for single user systems, it STILL > has benefits over running as root. > > RobbieAB > > I don't use sudo here but I assume a admin would only know that a nasty command has been ran well after it was ran? Basically, after the damage has been done, you can go look at the logs and see the mess some hacker left behind. For me, that isn't a whole lot of help. You still got hacked, you still got to reinstall and check to make sure anything you copy over is not infected. Assuming that they can erase dmesg, /var/log/messages and other log files, whose to say the sudo logs aren't deleted too? Then you still have no records to look at. I agree with the other posters tho, re-install from scratch and re-think your security setup. Dale :-) :-)