Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <acruhl@gmail.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-net
Date: 01/12/2007 09:03:43
On Fri, 12 Jan 2007 06:47:41 -0700
"Andy Ruhl" <acruhl@gmail.com> wrote:


> 
> I'm surprised that a few people think you should start over. I would
> seriously hope that a compromised user account wouldn't immediately
> prompt paranoia that the box was rooted. I understand that this is a
> thoght process that needs to take place, but I would hope that NetBSD
> is more hardy than that.

The odds are not in your favor.  "Reformat and reinstall" is the
conventional wisdom, with good reason.
> 
> I always keep my install sets somewhere else so I can do a checksum
> against some important programs to see if it's been hacked.
> 
A good starting point, but far from sufficient.  Finding a
well-concealed back door is *hard*.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb