Re: how to fix rootkit?
Humm... you're all right, dumping before reboot is much better.
Another tip: dump with your own dd/rsync binary copies. Remember: you
cannot trust this system.
You can also capture some network traffic and general volatile data
(memory) before reboot.
BR,
Fernando Mercês
Linux Registered User #432779
www.mentebinaria.com.br
softwarelivre-rj.org
@MenteBinaria
On Wed, Feb 8, 2012 at 12:40 PM, Repasi Tibor <repasi.tibor@advan-ce.hu> wrote:
> But, the most important: think before you act. If you wipe and reinstall the
> system, it could be as vulnerable as it was, so it may be rooted before you
> have it fully up again. Consider the following:
>
> - Cut network connection. Having the system off-line you can investigate the
> situation undisturbed. However, there is a small chance that the rootkit
> eliminates itself when counteraction (network unplug) is detected.
>
> - Announce the incident. In the company, to customers, and to whom it may
> concerns.
>
> - Think about essential services running on the system. What your business
> cannot run without, you should care to restart minimal sufficient services
> (probably from some other hosts).
>
> - Prepare yourself in doing the investigation. A good starting point:
> http://www.fish2.com/tct/help-when-broken-into
>
> - Backup the last state for investigation. Do a backup of all filesystems
> prior to reboot (as suggested), than reboot to a clean environment and dump
> the HD contents again.
>
> - Investigate. Find the answers to questions: How the intruder gained root
> access? What vulnerability was necessary to do so? What countermeasures are
> available on the issue? Can you setup a new system which is immune against
> the intrusion?
>
> - Setup a new and clean system from a latest release and take necessary
> action to provide hardened security.
>
> - Stepwise re-enable services.
>
>
>
> On 02/08/2012 03:06 PM, Leonor Palmeira wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I would rather (if it's ok for the server do be down for a while) unplug
>> the internet cable and dd (and/or rsync) all the partitions before
>> rebooting.
>> A lot of information (including swap) is lost during reboot...
>>
>> Best,
>> Leonor Palmeira.
>>
>> On 08/02/12 14:50, Fernando Mercês wrote:
>>
>>>
>>> I recommend you boot with some live CD system and make a dump of each
>>> partition, including swap, with dd. So you can analyze it after wipe
>>> your system.
>>>
>>> This analysis will help you to discover how attacker have gained root
>>> access, protect your actual system and feed community with real case
>>> information. If you need help, please let me know.
>>>
>>> Best regards,
>>>
>>> Fernando Mercês
>>> Linux Registered User #432779
>>> www.mentebinaria.com.br
>>> softwarelivre-rj.org
>>> @MenteBinaria
>>> ------------------------------------
>>> II Hack'n Rio - 23 e 24/11
>>> hacknrio.org
>>> ------------------------------------
>>>
>>>
>>>
>>> On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
>>> <als@thangorodrim.de> wrote:
>>>
>>>>
>>>> On Wed, Feb 08, 2012 at 11:53:14AM +0300, volk@lab127.karelia.ru wrote:
>>>>
>>>>>
>>>>> Today I found next things at squeeze. Please help to fix, I've no
>>>>> experience in such tasks.
>>>>>
>>>>> # chkrootkit
>>>>> ROOTDIR is `/'
>>>>> Checking `ifconfig'... INFECTED
>>>>> Checking `netstat'... INFECTED
>>>>>
>>>>
>>>> Don't even try to fix, with the system rooted you cannot trust it.
>>>> The only safe course of action is to wipe the system and reinstall it.
>>>>
>>>> If you need the data on the machine and have no current backups, boot
>>>> from a rescue CD (giving you a _clean_ environment) and copy the data
>>>> off, then wipe& reinstall.
>>>>
>>>>
>>>> Kind regards,
>>>> Alex.
>>>> --
>>>> "Opportunity is missed by most people because it is dressed in overalls
>>>> and
>>>> looks like work." -- Thomas A.
>>>> Edison
>>>>
>>>>
>>>> --
>>>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>>>> with a subject of "unsubscribe". Trouble? Contact
>>>> listmaster@lists.debian.org
>>>> Archive: 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de
>>>>
>>>>
>>>
>>>
>>>
>>
>> - -- Leonor Palmeira, PhD
>>
>> Phone: +32 4 366 42 69
>> Email: mlpalmeira AT ulg DOT ac DOT be
>> http://sites.google.com/site/leonorpalmeira
>>
>> Immunology-Vaccinology, Bat. B43b
>> Faculty of Veterinary Medicine
>> Boulevard de Colonster, 20
>> University of Liege, B-4000 Liege (Sart-Tilman)
>> Belgium
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJPMoF4AAoJEKquFGwgRb3zXEgIAIvbk4PP2bBH0V2SQTQc0MD2
>> C0YuVRbWU5DBCQZ83bIcOKDjxMnB4IMpZt3qIeih9pS1V/Ip/zCCL83rTWEieUOY
>> k77nHns75cUjcf85krfTs0IcvW22D1UC6Fh63LSDKDQQ6HV5p4B3zFVl7zd9SWlz
>> 9rvKjnfSvwJp1Xq0j0d0KpEZ3CAN7ltbJh/3G/ByAcQV1Z7FO0elbpHE0IbGDKnA
>> ezVOG23ICzwfXH2SiPKp9kFxwgAPGTD1lnOr27oWQHlxPa7ccwQFWzbyL9kPm1zv
>> J4eJ3tfuGI6Iv/dd/o8DW9xcYNw4FsXo61bfcrwlOrni0Tf4/ZPKytnwY6o9pII=
>> =MUD3
>> -----END PGP SIGNATURE-----
>>
>>
>>
>
>
>
> --
> Best regards / Mit freundlichen Grüßen / Üdvözlettel
>
> Tibor Répási
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> Archive: 4F328961.4040006@advan-ce.hu">http://lists.debian.org/4F328961.4040006@advan-ce.hu
>
Reply to: