Re: how to fix rootkit?
08.02.2012 17:40, Repasi Tibor пишет:
But, the most important: think before you act. If you wipe and
reinstall the system, it could be as vulnerable as it was, so it may
be rooted before you have it fully up again. Consider the following:
It's good question. Firewall was all right. But few months earlier I had
opened ssh access from any IP (3-times attempt to login limit was leaved).
Enother thing was tweaked is ntp. /bin/top and other scripts was changed
by malefactor like "chgrp ntp /bin/top", but it's probably a coincidence
of a group id.
And also most likely causes may be were
- Cut network connection. Having the system off-line you can
investigate the situation undisturbed. However, there is a small
chance that the rootkit eliminates itself when counteraction (network
unplug) is detected.
- Announce the incident. In the company, to customers, and to whom it
- Think about essential services running on the system. What your
business cannot run without, you should care to restart minimal
sufficient services (probably from some other hosts).
- Prepare yourself in doing the investigation. A good starting point:
- Backup the last state for investigation. Do a backup of all
filesystems prior to reboot (as suggested), than reboot to a clean
environment and dump the HD contents again.
- Investigate. Find the answers to questions: How the intruder gained
root access? What vulnerability was necessary to do so? What
countermeasures are available on the issue?
By the way /bin/top and other was changed at 4:30 6 feb 2012.
The system was very secured and each week it was updating to the last
If such bugs can occure (like dsa-2405) then there is no a solution to
reflect the attach that goes few minutes after the fix is released.
Can you setup a new system which is immune against the intrusion?
- Setup a new and clean system from a latest release and take
necessary action to provide hardened security.
- Stepwise re-enable services.
On 02/08/2012 03:06 PM, Leonor Palmeira wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I would rather (if it's ok for the server do be down for a while) unplug
the internet cable and dd (and/or rsync) all the partitions before
A lot of information (including swap) is lost during reboot...
On 08/02/12 14:50, Fernando Mercês wrote:
I recommend you boot with some live CD system and make a dump of each
partition, including swap, with dd. So you can analyze it after wipe
This analysis will help you to discover how attacker have gained root
access, protect your actual system and feed community with real case
information. If you need help, please let me know.
Linux Registered User #432779
II Hack'n Rio - 23 e 24/11
On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber
On Wed, Feb 08, 2012 at 11:53:14AM +0300, email@example.com
Today I found next things at squeeze. Please help to fix, I've no
experience in such tasks.
ROOTDIR is `/'
Checking `ifconfig'... INFECTED
Checking `netstat'... INFECTED
Don't even try to fix, with the system rooted you cannot trust it.
The only safe course of action is to wipe the system and reinstall it.
If you need the data on the machine and have no current backups, boot
from a rescue CD (giving you a _clean_ environment) and copy the data
off, then wipe& reinstall.
"Opportunity is missed by most people because it is dressed in
looks like work." -- Thomas
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
- -- Leonor Palmeira, PhD
Phone: +32 4 366 42 69
Email: mlpalmeira AT ulg DOT ac DOT be
Immunology-Vaccinology, Bat. B43b
Faculty of Veterinary Medicine
Boulevard de Colonster, 20
University of Liege, B-4000 Liege (Sart-Tilman)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Александр Сергеевич Волков