On Saturday 26 February 2005 02:31 am, D. Hageman wrote:
The problem with said philosophy is that the system had to be hacked before the rootkit was installed.
It's hardly a rootkit. It's a back door. That's all.
You are working under the assumption that this is all they did ...
No, I have worked toward the conclusion that was all they did, given the evidence of the condition of the sytem.
I belive I've said rather clearly, and more than once, that I have taken multiple approaches to fixing this. RPM, comprehensive as it is, has not been the only tool.
If you had a tripwire database...
Annoying as it is, I do.
Still, you need to re-install.
Well, I have reinstalled a good deal of the system, as I clearly said in earlier messages. I think the blind "oh ya gotta wipe the system" response is unjustified in this case, and I had hoped to avoid a lot of useless speculation toward that end.
I have dealt with hacked systems where that was necessary, I know what they look like. Rather early in the age of the internet I dealt with an open FTP server that actually _had_ been rootkitted. Wipe and restore was not necessarily the only answer in that case either, but it was the best.
What I'd really like is some extra eyeballs looking for information on rootedoor and what exploits are typically used to install it.