[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?

On 02/08/12 02:41, Laurentiu Pancescu wrote:
> On 2/8/12 09:53 , volk@lab127.karelia.ru wrote:
>> Today I found next things at squeeze. Please help to fix, I've no
>> experience in such tasks.
> As Fabian already mentioned, you cannot know what an attacker changed
> in the system (especially now that chkrootkit found a rootkit),
> therefore you cannot trust anything on the system that you might use
> for "repairing" it. The only way is to do a clean reinstall and
> restore user data from backup. You could also get the configuration 
Any data restored from backup _ESPECIALLY_ user data in /home is a great
place to stash away back-doors.  WordPress and the like are easy to
infiltrate and compromise.

You should instead do a bare metal restore and then scan for compromised
files.  Keep going further and further back till your system is clean. 
No clean backup, it's like the server died and there is no backup. 
Nothing you can do, say that all data was lost and rebuild...  Next time
keep backups permanently, every three months for a year and then one
yearly backup kept permanently is a good technique.

As far as what I would do prior to a restore look at my other posts.

> files from backup, but check manually for changes (your latest backups
> might have been made after the attack, the bad guy might have changed
> some configuration files as well). I'd check for executable files in
> users' directories and contents of their .profile and .bashrc as well.
> The question is how the intruder got root access in the first place -
> without finding the fixing that, you might get "owned" again, as soon
> as you reinstall the system. Perhaps chapter 11 of the "Securing
> Debian Manual" can help:
> http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html
> Good luck!
> Laurentiu

Reply to: