[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ProgSoc] Re: [ADMIN] Exploit Update



On Tue, Nov 09, 2004 at 01:57:26PM +1100, Shaun Clowes wrote:
> 
> >While of course it's very possible that log entry is a fabrication, I've 
> >still
> >brought it to the attention of Dave Morrison, ITD's IT Security Manager, 
> >who
> >has said he will check into it in case it is genuine.  In any case, I'm 
> >going
> >to be leaving Trogdor off the internet for a while until I can get static
> >binaries to run a chkrootkit (though hopefully that shouldn't be too hard
> >given we have succubus running the same architecture and distro) and then
> >make sure trogdor is properly updated, as well as enabling cron-apt to
> >prevent this happening again.  Of course, if anyone has any suggestions in
> >the meantime, feel free to make them, otherwise I'm just going to play it
> >safe and fully check things out before bringing trogdor back up.  
> >Admittedly
> >this will mean the web server will be down briefly, but given it's the web
> >server which is the exploit target, I think that's a necessary evil.
> 
> I would suggest further mitigating the risk and formatting the machine and 
> reinstalling it (hopefully the attacker didn't use the NFS mounts to 
> leverage control of the other machines).
> 
> Cheers,
> Shaun
> 

I second that. There is no point trying to recover the system as it will
probably end up being more work than a reinstall.

later

matthew

-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.