Thomas Krichel wrote:
Andrew McGlashan writesThomas Krichel wrote:chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procpsSo, in effect, did you possibly give away your root password or pass phrase key for the netbka machine?Yup. After killing the "dropbear" process.
Perhaps it would have been better to work from from a non-infected machine; do the scp of such files .... or better still just backup the data.
nebka:# scp -p /usr/bin/ps root@infected-machine:/usr/bin/ps and/or nebka:# scp -pr /saved-data-dir root@infected-machine:/data-dir rsync might be an option too...Perhaps even use a live-cd or work in a chroot to offer as much protection as possible for the non-infected machine.
You've also got to hope that scp or any other programs/binaries you rely on themselves aren't infected on the compromised machine in a way that might cause further issues.
I wouldn't be that trusting,I wouldn't be either, but what is man to do who is not a security expert to do?you already know you were compromised -- best to re-install clean if you ask me.yeah, but I have no physical access to the infected box and must keep its data. I reinstalled all the packages. psutils was the one that got aptitude stymied.
If you have no physical access, do you have a way to nuke and re-install? Is it VPS or similar?
Something I've discovered as a really good feature of HP's iLO is the ability to mount an ISO from a local / trusted source and boot a machine remotely using the virtually mounted CD/DVD -- that gives you a whole new level of access without the need for actual physical access. You can work with a console remotely too in this case. Once it is running, you could install ssh server, set a password and use it in a more traditional way. Of course, it won't help if the machine doesn't have iLO or is a VPS itself -- but there might be similar methods with a VPS.
Oh and HP's iLO might need an "advanced" license for virtual media to work, not sure about that yet. I picked up a nice DL380 G4 with the advanced iLO license already installed.
Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP