Cleaning up a compromise

Cleaning up a compromise

You have a point, of course. But it largely depends on the context. An absolute like "there is no way to know you succeeded so better wipe the whole machine" can be true if you are working for the NSA. In this particular case the crackers just wanted to send their bloody spam from the server; they were not interested in anything else. In fact we were getting lots of abuse reports, which stopped after the cleanup. It is possible that the spammers still had another backdoor into the system (besides the compromised SSH binary), but why would they enter the machine and not send any more spam? In this case the proof is in the pudding.

Rootkit detectors are supposed to work well, at least in Linux. It is an arms race between them and rootkit developers, but in this case my money is definitely on the good guys. On Windows it is probably harder to be thorough.

On my personal desktop machine I would be much more paranoid. On this particular web server wiping it out was more trouble than doing a cleanup, and by the way the customer wanted it this way. Perhaps a poor excuse, but good enough for me in this situation. So I am not going to advice anyone else to clean up a compromised machine, just to consider carefully your options.