[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Removing ShKit Root Kit
- To: <full-disclosure@lists.netsys.com>
- Subject: RE: [Full-Disclosure] Removing ShKit Root Kit
- From: "Schmehl, Paul L" <pauls@utdallas.edu>
- Date: Mon, 22 Dec 2003 13:52:57 -0600
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
> Alexander Schreiber
> Sent: Monday, December 22, 2003 12:24 AM
> To: Chris
> Cc: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Removing ShKit Root Kit
>
> There is exactly one way to properly clean up a rooted box:
> backup the system (for later analysis and for keeping any
> data that might be needed), wipe the disks and reinstall from
> known clean install media, update the system to get all
> current security updates und properly secure the box.
>
This advice is common, and it's always mystified me. Why would you want
backups of the "data"? If the box is compromised, you can't trust
*anything* on it, can you? How can you know for certain that "data"
isn't a cleverly concealed backdoor?
I can understand backing up the disk for offline analysis, but I would
think you'd want to restore your data from known good copies, wouldn't
you? And if you don't have known good data backups, well, then consider
it a lesson learned and do it right the next time.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html