| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FE76992.5020804@umn.edu> From: eckman at umn.edu (Brian Eckman) Subject: Removing ShKit Root Kit Larry W. Cashdollar wrote: > > On Mon, 22 Dec 2003, Brian Eckman wrote: > > >>Schmehl, Paul L wrote: > > >>Hmmm. Well, if the execute bit isn't set, then I'd assume it can be >>considered relatively safe. If the attacker can later find a way to >>chmod it and then execute it with the privliges needed to make it >>harmful, then I imagine that they could find other ways of compromising >>your machine as well. >> > > > The attacker could have also added a new user to your oracle database, so > I see where Paul is coming from. Restoring actual data from a known good > copy is a better idea. I suspect that most people keep a backup copy > (raw dd) of a compromised system for the feds and a copy for themselves to > explore. Other than that nothing can be trusted from the compromised > system. > > -- Larry C$ It always will depend on the situation. Is throwing away a few million transactions acceptible, when it might take a couple of hours or less to compare the Oracle user list against a known good list? Should you scrutinize each of those millions of transactions that occured between compromise and detection to make sure each and every one of them are legit? If doing so costs more than it is worth (define as you wish), it won't happen, and shouldn't. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't."
Powered by blists - more mailing lists