Kyle,
You mention that the machine is 'disconnected'. Does that mean that
during the entire process of partitioning, formating and OS installation
there are no network or telephone cables connected?
What OS are we talking about? What kind of hardware? It almost sounds
like a piece of software that you're installing has been compromised. I
see this quite often during forensic examinations of digital evidence.
One common situation is that users download applications from the net and
burn them to CDR's w/o verifying MD5 checksums or some other type of
integrity verification. The application is typically trojaned and does
various evil things after installation.
If you're just formatting and installing *nix, with no connectivity to
the machine and no other software is installed... you may have a physical
security problem. :-)
Gary
On Fri, 25 Apr 2003,
Kyle Faber wrote:
>
> I have a client who has a nasty hacker problem. I have reason to believe
> that there is some sort of "sleeper" application inside some kind of hidden
> partition. I came to this conclusion after seeing evidence of the hack
> return on a repartitioned, formatted, disconnected machine. The hacked users
> returned, the machine begins to attempt to phone home. There is no evidence
> of any hidden partitions using linux fdisk.
>
> Any suggestions? I have heard some form of the dd command can be used to
> overwrite ALL information on this disk. Anyone have any tips for that? Or
> any tips in general, I am tearing my hair out on this one.
(text/plain)