Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Steven M. Bellovin <>
From: Andy Ruhl <>
List: tech-pkg
Date: 01/12/2007 07:17:26
On 1/12/07, Steven M. Bellovin <> wrote:
> On Fri, 12 Jan 2007 06:47:41 -0700
> "Andy Ruhl" <> wrote:
> >
> > I'm surprised that a few people think you should start over. I would
> > seriously hope that a compromised user account wouldn't immediately
> > prompt paranoia that the box was rooted. I understand that this is a
> > thoght process that needs to take place, but I would hope that NetBSD
> > is more hardy than that.
> The odds are not in your favor.  "Reformat and reinstall" is the
> conventional wisdom, with good reason.

I need to study this then. I understand that there have been many
escalation type security holes, and usually they are not as vigilantly
pursued as remote exploits. But I'm really hoping that my box is not
so fragile that I should worry about being rooted when a user account
is compromised. Again, I can easily be accused of being an optimist..

> >
> > I always keep my install sets somewhere else so I can do a checksum
> > against some important programs to see if it's been hacked.
> >
> A good starting point, but far from sufficient.  Finding a
> well-concealed back door is *hard*.

Yep. I'm going strictly on odds. If I check a few of the "biggies" and
they are the same, at that point I can reduce my level of panic and
then take more time to look through things. I'm not claiming to be
good at this back door finding though. Also, I'm hoping that I'm not
so important that someone would want to target me for this nonsense.
But anyway...