[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?

On Thu, 9 Feb 2012, Jason Fergus <leech@thefnords.org> wrote:
> Out of curiosity, couldn't one technically boot up a liveCD, mount the
> drive(s) and then download the .debs individually, then extract them
> over the mounted partitions, effectively copying over all of the
> binaries.

There is the possibility of SUID binaries not owned by packages and the issue 
of configuration files which have malicious changes.

The best thing to do is to install all the same packages on a new system and 
then run a "diff -r" on the /etc directory and determine which differences are 
desired configuration changes and which might have been made by the attacker.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to: