[asterisk-users] Root Password not taking

[SIP]

Steve Edwards wrote:
> On Thu, 22 Jan 2009, Wilton Helm wrote:
>
>   
>> If some of your directories like /home and /user have separate mount 
>> points, they don't have to get wiped out in the process.
>>     
>
> If there is any reason to suspect a hack, re-installation is the only way. 
> I would replace the suspect drive and do a fresh install on a fresh drive. 
> If you can bring it up to current patch level before exposing it to the 
> 'net, all the better.
>
> Having the suspect drive available to crib configuration details from will 
> come in handy. Just mount it read-only on a non-executable mount point.
>
> After a hack, no executable or configuration file can be trusted and all 
> data is suspect so even if /home and /us[e]r are not clobbered, they 
> cannot be trusted.
>
> Thanks in advance,
> ------------------------------------------------------------------------
> Steve Edwards      sedwards at sedwards.com      Voice: +1-760-468-3867 PST
> Newline                                             Fax: +1-760-731-3000
>
> _______________________________________________
>   

Have to agree with Steve there.  While a majority of hacks are just
script kiddies using the vulnerability du jour, some are quite expertly
done.  I'd a friend in college who hacked into the university's main
servers and spent a lot of time replacing system binaries with his own
that he'd tailored to have the same byte count and same overall
properties (with hidden extra switches here and there) so they wouldn't
be readily noticed. This was WAAAY back in the day before things like
tripwire and the like, but a careful hacker can become next to
undetectable.

The only SURE solution is to wipe the drive and start fresh, making sure
to patch any holes through which the hacker might have come while you're
doing a new install.

N.