Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 01/12/2007 09:03:43
On Fri, 12 Jan 2007 06:47:41 -0700
"Andy Ruhl" <firstname.lastname@example.org> wrote:
> I'm surprised that a few people think you should start over. I would
> seriously hope that a compromised user account wouldn't immediately
> prompt paranoia that the box was rooted. I understand that this is a
> thoght process that needs to take place, but I would hope that NetBSD
> is more hardy than that.
The odds are not in your favor. "Reformat and reinstall" is the
conventional wisdom, with good reason.
> I always keep my install sets somewhere else so I can do a checksum
> against some important programs to see if it's been hacked.
A good starting point, but far from sufficient. Finding a
well-concealed back door is *hard*.
--Steve Bellovin, http://www.cs.columbia.edu/~smb