Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Thomas Krichel wrote:
Andrew McGlashan writes
Thomas Krichel wrote:
chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps
So, in effect, did you possibly give away your root password or pass
phrase key for the netbka machine?
Yup. After killing the "dropbear" process.
Perhaps it would have been better to work from from a non-infected
machine; do the scp of such files .... or better still just backup the data.
nebka:# scp -p /usr/bin/ps root@infected-machine:/usr/bin/ps
nebka:# scp -pr /saved-data-dir root@infected-machine:/data-dir
rsync might be an option too...
Perhaps even use a live-cd or work in a chroot to offer as much
protection as possible for the non-infected machine.
You've also got to hope that scp or any other programs/binaries you rely
on themselves aren't infected on the compromised machine in a way that
might cause further issues.
I wouldn't be that trusting,
I wouldn't be either, but what is man to do who is
not a security expert to do?
you already know you were compromised
-- best to re-install clean if you ask me.
yeah, but I have no physical access to the infected
box and must keep its data. I reinstalled all the
packages. psutils was the one that got aptitude
If you have no physical access, do you have a way to nuke and
re-install? Is it VPS or similar?
Something I've discovered as a really good feature of HP's iLO is the
ability to mount an ISO from a local / trusted source and boot a machine
remotely using the virtually mounted CD/DVD -- that gives you a whole
new level of access without the need for actual physical access. You
can work with a console remotely too in this case. Once it is running,
you could install ssh server, set a password and use it in a more
traditional way. Of course, it won't help if the machine doesn't have
iLO or is a VPS itself -- but there might be similar methods with a VPS.
Oh and HP's iLO might need an "advanced" license for virtual media to
work, not sure about that yet. I picked up a nice DL380 G4 with the
advanced iLO license already installed.
Broadband Solutions now including VoIP