Re: how to fix rootkit?

To: Fernando Mercês <nandu88@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: how to fix rootkit?
From: Leonor Palmeira <mlpalmeira@ulg.ac.be>
Date: Wed, 08 Feb 2012 15:06:48 +0100
Message-id: <4F328178.40209@ulg.ac.be>
In-reply-to: <CAM7p17PMimBO-Ouu4gRy7L7PXWdy=a2jRhYo6Wq-J0OKY0DGPw@mail.gmail.com>
References: <4F3237FA.1050206@lab127.karelia.ru> <20120208125104.GA18436@thangorodrim.de> <CAM7p17PMimBO-Ouu4gRy7L7PXWdy=a2jRhYo6Wq-J0OKY0DGPw@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would rather (if it's ok for the server do be down for a while) unplug
the internet cable and dd (and/or rsync) all the partitions before
rebooting.
A lot of information (including swap) is lost during reboot...

Best,
Leonor Palmeira.

On 08/02/12 14:50, Fernando Mercês wrote:
> I recommend you boot with some live CD system and make a dump of each
> partition, including swap, with dd. So you can analyze it after wipe
> your system.
> 
> This analysis will help you to discover how attacker have gained root
> access, protect your actual system and feed community with real case
> information. If you need help, please let me know.
> 
> Best regards,
> 
> Fernando Mercês
> Linux Registered User #432779
> www.mentebinaria.com.br
> softwarelivre-rj.org
> @MenteBinaria
> ------------------------------------
> II Hack'n Rio - 23 e 24/11
>                  hacknrio.org
> ------------------------------------
> 
> 
> 
> On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
> <als@thangorodrim.de> wrote:
>> On Wed, Feb 08, 2012 at 11:53:14AM +0300, volk@lab127.karelia.ru wrote:
>>> Today I found next things at squeeze. Please help to fix, I've no
>>> experience in such tasks.
>>>
>>> # chkrootkit
>>> ROOTDIR is `/'
>>> Checking `ifconfig'...                                      INFECTED
>>> Checking `netstat'...                                       INFECTED
>>
>> Don't even try to fix, with the system rooted you cannot trust it.
>> The only safe course of action is to wipe the system and reinstall it.
>>
>> If you need the data on the machine and have no current backups, boot
>> from a rescue CD (giving you a _clean_ environment) and copy the data
>> off, then wipe & reinstall.
>>
>> Kind regards,
>>           Alex.
>> --
>> "Opportunity is missed by most people because it is dressed in overalls and
>>  looks like work."                                      -- Thomas A. Edison
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>> Archive: 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de
>>
> 
> 

- -- 
Leonor Palmeira, PhD

Phone: +32 4 366 42 69
Email: mlpalmeira AT ulg DOT ac DOT be
http://sites.google.com/site/leonorpalmeira

Immunology-Vaccinology, Bat. B43b
Faculty of Veterinary Medicine
Boulevard de Colonster, 20
University of Liege, B-4000 Liege (Sart-Tilman)
Belgium
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPMoF4AAoJEKquFGwgRb3zXEgIAIvbk4PP2bBH0V2SQTQc0MD2
C0YuVRbWU5DBCQZ83bIcOKDjxMnB4IMpZt3qIeih9pS1V/Ip/zCCL83rTWEieUOY
k77nHns75cUjcf85krfTs0IcvW22D1UC6Fh63LSDKDQQ6HV5p4B3zFVl7zd9SWlz
9rvKjnfSvwJp1Xq0j0d0KpEZ3CAN7ltbJh/3G/ByAcQV1Z7FO0elbpHE0IbGDKnA
ezVOG23ICzwfXH2SiPKp9kFxwgAPGTD1lnOr27oWQHlxPa7ccwQFWzbyL9kPm1zv
J4eJ3tfuGI6Iv/dd/o8DW9xcYNw4FsXo61bfcrwlOrni0Tf4/ZPKytnwY6o9pII=
=MUD3
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: how to fix rootkit?
  - From: Repasi Tibor <repasi.tibor@advan-ce.hu>

References:
- how to fix rootkit?
  - From: "volk@lab127.karelia.ru" <volk@lab127.karelia.ru>
- Re: how to fix rootkit?
  - From: Alexander Schreiber <als@thangorodrim.de>
- Re: how to fix rootkit?
  - From: Fernando Mercês <nandu88@gmail.com>

Prev by Date: Re: how to fix rootkit?
Next by Date: Re: how to fix rootkit?
Previous by thread: Re: how to fix rootkit?
Next by thread: Re: how to fix rootkit?
Index(es):
- Date
- Thread