Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <acruhl@gmail.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-net
Date: 01/12/2007 09:03:43
On Fri, 12 Jan 2007 06:47:41 -0700
"Andy Ruhl" <acruhl@gmail.com> wrote:
>
> I'm surprised that a few people think you should start over. I would
> seriously hope that a compromised user account wouldn't immediately
> prompt paranoia that the box was rooted. I understand that this is a
> thoght process that needs to take place, but I would hope that NetBSD
> is more hardy than that.
The odds are not in your favor. "Reformat and reinstall" is the
conventional wisdom, with good reason.
>
> I always keep my install sets somewhere else so I can do a checksum
> against some important programs to see if it's been hacked.
>
A good starting point, but far from sufficient. Finding a
well-concealed back door is *hard*.
--Steve Bellovin, http://www.cs.columbia.edu/~smb