[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Thomas Krichel wrote:
  Andrew McGlashan writes

Thomas Krichel wrote:
chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps
So, in effect, did you possibly give away your root password or pass
phrase key for the netbka machine?

  Yup. After killing the "dropbear" process.

Perhaps it would have been better to work from from a non-infected machine; do the scp of such files .... or better still just backup the data.

nebka:# scp -p /usr/bin/ps root@infected-machine:/usr/bin/ps


nebka:# scp -pr /saved-data-dir root@infected-machine:/data-dir

rsync might be an option too...

Perhaps even use a live-cd or work in a chroot to offer as much protection as possible for the non-infected machine.

You've also got to hope that scp or any other programs/binaries you rely on themselves aren't infected on the compromised machine in a way that might cause further issues.

I wouldn't be that trusting,

  I wouldn't be either, but what is man to do who is
  not a security expert to do?

you already know you were compromised
-- best to re-install clean if you ask me.

  yeah, but I have no physical access to the infected
  box and must keep its data. I reinstalled all the
  packages. psutils was the one that got aptitude

If you have no physical access, do you have a way to nuke and re-install? Is it VPS or similar?

Something I've discovered as a really good feature of HP's iLO is the ability to mount an ISO from a local / trusted source and boot a machine remotely using the virtually mounted CD/DVD -- that gives you a whole new level of access without the need for actual physical access. You can work with a console remotely too in this case. Once it is running, you could install ssh server, set a password and use it in a more traditional way. Of course, it won't help if the machine doesn't have iLO or is a VPS itself -- but there might be similar methods with a VPS.

Oh and HP's iLO might need an "advanced" license for virtual media to work, not sure about that yet. I picked up a nice DL380 G4 with the advanced iLO license already installed.


Kind Regards

Andrew McGlashan
Broadband Solutions now including VoIP

Reply to: