Re: how to fix rootkit?
-----BEGIN PGP SIGNED MESSAGE-----
I would rather (if it's ok for the server do be down for a while) unplug
the internet cable and dd (and/or rsync) all the partitions before
A lot of information (including swap) is lost during reboot...
On 08/02/12 14:50, Fernando Mercês wrote:
> I recommend you boot with some live CD system and make a dump of each
> partition, including swap, with dd. So you can analyze it after wipe
> your system.
> This analysis will help you to discover how attacker have gained root
> access, protect your actual system and feed community with real case
> information. If you need help, please let me know.
> Best regards,
> Fernando Mercês
> Linux Registered User #432779
> II Hack'n Rio - 23 e 24/11
> On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
> <firstname.lastname@example.org> wrote:
>> On Wed, Feb 08, 2012 at 11:53:14AM +0300, email@example.com wrote:
>>> Today I found next things at squeeze. Please help to fix, I've no
>>> experience in such tasks.
>>> # chkrootkit
>>> ROOTDIR is `/'
>>> Checking `ifconfig'... INFECTED
>>> Checking `netstat'... INFECTED
>> Don't even try to fix, with the system rooted you cannot trust it.
>> The only safe course of action is to wipe the system and reinstall it.
>> If you need the data on the machine and have no current backups, boot
>> from a rescue CD (giving you a _clean_ environment) and copy the data
>> off, then wipe & reinstall.
>> Kind regards,
>> "Opportunity is missed by most people because it is dressed in overalls and
>> looks like work." -- Thomas A. Edison
>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
>> Archive: 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de
Leonor Palmeira, PhD
Phone: +32 4 366 42 69
Email: mlpalmeira AT ulg DOT ac DOT be
Immunology-Vaccinology, Bat. B43b
Faculty of Veterinary Medicine
Boulevard de Colonster, 20
University of Liege, B-4000 Liege (Sart-Tilman)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----