[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to fix rootkit?

08.02.2012 17:40, Repasi Tibor пишет:
But, the most important: think before you act. If you wipe and reinstall the system, it could be as vulnerable as it was, so it may be rooted before you have it fully up again. Consider the following:

- Cut network connection. Having the system off-line you can investigate the situation undisturbed. However, there is a small chance that the rootkit eliminates itself when counteraction (network unplug) is detected.

- Announce the incident. In the company, to customers, and to whom it may concerns.

- Think about essential services running on the system. What your business cannot run without, you should care to restart minimal sufficient services (probably from some other hosts).

- Prepare yourself in doing the investigation. A good starting point: http://www.fish2.com/tct/help-when-broken-into

- Backup the last state for investigation. Do a backup of all filesystems prior to reboot (as suggested), than reboot to a clean environment and dump the HD contents again.

- Investigate. Find the answers to questions: How the intruder gained root access? What vulnerability was necessary to do so? What countermeasures are available on the issue?
It's good question. Firewall was all right. But few months earlier I had opened ssh access from any IP (3-times attempt to login limit was leaved). Enother thing was tweaked is ntp. /bin/top and other scripts was changed by malefactor like "chgrp ntp /bin/top", but it's probably a coincidence of a group id. And also most likely causes may be were http://www.debian.org/security/2012/dsa-2403 and http://www.debian.org/security/2012/dsa-2405
By the way /bin/top and other was changed at 4:30 6 feb 2012.
The system was very secured and each week it was updating to the last release. If such bugs can occure (like dsa-2405) then there is no a solution to reflect the attach that goes few minutes after the fix is released.

Can you setup a new system which is immune against the intrusion?

- Setup a new and clean system from a latest release and take necessary action to provide hardened security.

- Stepwise re-enable services.

On 02/08/2012 03:06 PM, Leonor Palmeira wrote:
Hash: SHA1

I would rather (if it's ok for the server do be down for a while) unplug
the internet cable and dd (and/or rsync) all the partitions before
A lot of information (including swap) is lost during reboot...

Leonor Palmeira.

On 08/02/12 14:50, Fernando Mercês wrote:
I recommend you boot with some live CD system and make a dump of each
partition, including swap, with dd. So you can analyze it after wipe
your system.

This analysis will help you to discover how attacker have gained root
access, protect your actual system and feed community with real case
information. If you need help, please let me know.

Best regards,

Fernando Mercês
Linux Registered User #432779
II Hack'n Rio - 23 e 24/11

On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
<als@thangorodrim.de>  wrote:
On Wed, Feb 08, 2012 at 11:53:14AM +0300, volk@lab127.karelia.ru wrote:
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.

# chkrootkit
ROOTDIR is `/'
Checking `ifconfig'...                                      INFECTED
Checking `netstat'...                                       INFECTED
Don't even try to fix, with the system rooted you cannot trust it.
The only safe course of action is to wipe the system and reinstall it.

If you need the data on the machine and have no current backups, boot
from a rescue CD (giving you a _clean_ environment) and copy the data
off, then wipe&  reinstall.

Kind regards,
"Opportunity is missed by most people because it is dressed in overalls and looks like work." -- Thomas A. Edison

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20120208125104.GA18436@thangorodrim.de">http://lists.debian.org/20120208125104.GA18436@thangorodrim.de

- -- Leonor Palmeira, PhD

Phone: +32 4 366 42 69
Email: mlpalmeira AT ulg DOT ac DOT be

Immunology-Vaccinology, Bat. B43b
Faculty of Veterinary Medicine
Boulevard de Colonster, 20
University of Liege, B-4000 Liege (Sart-Tilman)
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


Александр Сергеевич Волков

www: http://www.frgroup.ru
mob: +79215283540
e-mail: volk@kadr.tv
skype: v2003_2003@mail.ru
icq: 255569374

Reply to: