[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?

On 2/8/12 09:53 , volk@lab127.karelia.ru wrote:
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.

As Fabian already mentioned, you cannot know what an attacker changed in the system (especially now that chkrootkit found a rootkit), therefore you cannot trust anything on the system that you might use for "repairing" it. The only way is to do a clean reinstall and restore user data from backup. You could also get the configuration files from backup, but check manually for changes (your latest backups might have been made after the attack, the bad guy might have changed some configuration files as well). I'd check for executable files in users' directories and contents of their .profile and .bashrc as well.

The question is how the intruder got root access in the first place - without finding the fixing that, you might get "owned" again, as soon as you reinstall the system. Perhaps chapter 11 of the "Securing Debian Manual" can help:


Good luck!


Reply to: