Re: how to fix rootkit?

[Fernando Mercês <nandu88@gmail.com>]

I recommend you boot with some live CD system and make a dump of each
partition, including swap, with dd. So you can analyze it after wipe
your system.

This analysis will help you to discover how attacker have gained root
access, protect your actual system and feed community with real case
information. If you need help, please let me know.

Best regards,

Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
softwarelivre-rj.org
@MenteBinaria
------------------------------------
II Hack'n Rio - 23 e 24/11
                 hacknrio.org
------------------------------------



On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
<als@thangorodrim.de> wrote:
> On Wed, Feb 08, 2012 at 11:53:14AM +0300, volk@lab127.karelia.ru wrote:
>> Today I found next things at squeeze. Please help to fix, I've no
>> experience in such tasks.
>>
>> # chkrootkit
>> ROOTDIR is `/'
>> Checking `ifconfig'...                                      INFECTED
>> Checking `netstat'...                                       INFECTED
>
> Don't even try to fix, with the system rooted you cannot trust it.
> The only safe course of action is to wipe the system and reinstall it.
>
> If you need the data on the machine and have no current backups, boot
> from a rescue CD (giving you a _clean_ environment) and copy the data
> off, then wipe & reinstall.
>
> Kind regards,
>           Alex.
> --
> "Opportunity is missed by most people because it is dressed in overalls and
>  looks like work."                                      -- Thomas A. Edison
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de
>