[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

Mario Lopez wrote:
> Hi!,
> >First. We need some fresh & clean tools;
> >
> >kill, killall, ps, more, netstat, ls, dpkg, apt-tools, 
> chattr, lsattr,  bash (or whatever shell you prefer).
> >
> >
> >Replace your shell with the clean one (the /etc/passwd -race).
Better, boot off a clean medium (I prefer KNOPPIX for that, as all needed
tools are there, and it runs completely from CD). Only _this_ way you can
make pretty sure that neither some nasty kernel module, nor some hacked
shared library is loaded while cleaning the compromised system.
When you have Knoppix up and running, the other posts apply (re-install base
debs, clean up /etc/{init.d,rc?d,passwd,shadow,modules(!)), move away that
nasty root kit (via chkrootkit, may be included on the knoppix cd, but I'm
not sure).
But - as others already stated - it's highly recommended to set up from
scratch. Boot from CD, take a full backup via rsync or scp or whatever you
prefer, set up a blank system, and restore the "user" parts thorougly.


Reply to: