[Techtalk] undeletable files

[Caitlyn Martin]

Hi, Walt, Raven, and everyone else,
> 
> 	Throwing in my two cents with everyone else's -- this really is
> what you should do if you ever want to trust that system again.  Not
> just trusting it for your own files and system integrity, but also
> trusting it to not DDoS other machines, spy on the rest of your network,
> harvest passwords, get your account canned by your ISP, send threatening
> mail from youraccount at yourdomain.com to the President, thereby earning
> you some really unfriendly attention... there are lots of really nasty
> things that can happen to you because of a hacked box.

As someone who has done security for a living, I really have to agree with
Raven.  You can absolutely, positively, *never* be sure that your system
isn't still compromised in some way you haven't thought of, and that, in
turn, can lead to you system being hacked again and/or exploited in some
nasty way.  It really, really, really is, in most every case, worth the
time to nuke the whole thing, reinstall, setup accounts again, restore
data from before the earliest evidence of hacking, etc...  Lots of work? 
You betcha.  It may well sabe you far bigger headaches later.
> 
> 	You could see the /dev files with what?  Ls on the compromised
> hard drive?  I wouldn't trust it.  Even if the checksums match, md5sum
> may be trojaned to lie to you, or the trojaned ls may have been tailored
> to be the same size as the original.  (Check MAC times with known good
> media -- that will give you a better clue.  And, as someone else has
> suggested, chkrootkit sometimes finds rootkits.  It's batting about .600
> for the systems I've seen that I know to have been rootkitted.)

...and this is all just the tip of the iceberg.

All the best,
Caity