Re: how to fix rootkit?

[Repasi Tibor <repasi.tibor@advan-ce.hu>]

But, the most important: think before you act. If you wipe and reinstall 
the system, it could be as vulnerable as it was, so it may be rooted 
before you have it fully up again. Consider the following:

- Cut network connection. Having the system off-line you can investigate 
the situation undisturbed. However, there is a small chance that the 
rootkit eliminates itself when counteraction (network unplug) is detected.

- Announce the incident. In the company, to customers, and to whom it 
may concerns.

- Think about essential services running on the system. What your 
business cannot run without, you should care to restart minimal 
sufficient services (probably from some other hosts).

- Prepare yourself in doing the investigation. A good starting point: 
http://www.fish2.com/tct/help-when-broken-into

- Backup the last state for investigation. Do a backup of all 
filesystems prior to reboot  (as suggested), than reboot to a clean 
environment and dump the HD contents again.

- Investigate. Find the answers to questions: How the intruder gained 
root access? What vulnerability was necessary to do so? What 
countermeasures are available on the issue? Can you setup a new system 
which is immune against the intrusion?

- Setup a new and clean system from a latest release and take necessary 
action to provide hardened security.

- Stepwise re-enable services.


On 02/08/2012 03:06 PM, Leonor Palmeira wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I would rather (if it's ok for the server do be down for a while) unplug
> the internet cable and dd (and/or rsync) all the partitions before
> rebooting.
> A lot of information (including swap) is lost during reboot...
>
> Best,
> Leonor Palmeira.
>
> On 08/02/12 14:50, Fernando Mercês wrote:
>    
> > I recommend you boot with some live CD system and make a dump of each
> > partition, including swap, with dd. So you can analyze it after wipe
> > your system.
> >
> > This analysis will help you to discover how attacker have gained root
> > access, protect your actual system and feed community with real case
> > information. If you need help, please let me know.
> >
> > Best regards,
> >
> > Fernando Mercês
> > Linux Registered User #432779
> > www.mentebinaria.com.br
> > softwarelivre-rj.org
> > @MenteBinaria
> > ------------------------------------
> > II Hack'n Rio - 23 e 24/11
> >                   hacknrio.org
> > ------------------------------------
> >
> >
> >
> > On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
> > <als@thangorodrim.de>  wrote:
> >      
> > > On Wed, Feb 08, 2012 at 11:53:14AM +0300, volk@lab127.karelia.ru wrote:
> > >        
> > > > Today I found next things at squeeze. Please help to fix, I've no
> > > > experience in such tasks.
> > > >
> > > > # chkrootkit
> > > > ROOTDIR is `/'
> > > > Checking `ifconfig'...                                      INFECTED
> > > > Checking `netstat'...                                       INFECTED
> > > >          
> > > Don't even try to fix, with the system rooted you cannot trust it.
> > > The only safe course of action is to wipe the system and reinstall it.
> > >
> > > If you need the data on the machine and have no current backups, boot
> > > from a rescue CD (giving you a _clean_ environment) and copy the data
> > > off, then wipe&  reinstall.
> > >
> > > Kind regards,
> > >            Alex.
> > > --
> > > "Opportunity is missed by most people because it is dressed in overalls and
> > >   looks like work."                                      -- Thomas A. Edison
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > > Archive: 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de
> > >
> > >        
> >
> >      
> - -- 
> Leonor Palmeira, PhD
>
> Phone: +32 4 366 42 69
> Email: mlpalmeira AT ulg DOT ac DOT be
> http://sites.google.com/site/leonorpalmeira
>
> Immunology-Vaccinology, Bat. B43b
> Faculty of Veterinary Medicine
> Boulevard de Colonster, 20
> University of Liege, B-4000 Liege (Sart-Tilman)
> Belgium
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJPMoF4AAoJEKquFGwgRb3zXEgIAIvbk4PP2bBH0V2SQTQc0MD2
> C0YuVRbWU5DBCQZ83bIcOKDjxMnB4IMpZt3qIeih9pS1V/Ip/zCCL83rTWEieUOY
> k77nHns75cUjcf85krfTs0IcvW22D1UC6Fh63LSDKDQQ6HV5p4B3zFVl7zd9SWlz
> 9rvKjnfSvwJp1Xq0j0d0KpEZ3CAN7ltbJh/3G/ByAcQV1Z7FO0elbpHE0IbGDKnA
> ezVOG23ICzwfXH2SiPKp9kFxwgAPGTD1lnOr27oWQHlxPa7ccwQFWzbyL9kPm1zv
> J4eJ3tfuGI6Iv/dd/o8DW9xcYNw4FsXo61bfcrwlOrni0Tf4/ZPKytnwY6o9pII=
> =MUD3
> -----END PGP SIGNATURE-----
>
>
>    


--
Best regards / Mit freundlichen Grüßen / Üdvözlettel

Tibor Répási