Re: how to fix rootkit?
On 08.02.2012 17:03, Fernando Mercês wrote:
> Humm... you're all right, dumping before reboot is much better.
> Another tip: dump with your own dd/rsync binary copies. Remember: you
> cannot trust this system.
> You can also capture some network traffic and general volatile data
> (memory) before reboot.
Strictly said, you either cannot trust that you call your own binary copies then or they work as expected an a rootkitted machine.
Another way would be hard turning off the machine. You have a little risk to get an inconsitent filesystem or swap than, but you have a "freezed" version of you rootkitted system while running.
But you may not get to the content of your ram that, except you can use forensic tools or so for reading the memory after turning off or something.