Re: hacked: can't delete files
On Tue, 23 Aug 2005, Dalibor Straka wrote:
...
> > ns:/usr/lib/libsh# rm -rf *
> > rm: cannot unlink `hide': Permission denied
> > rm: cannot remove directory `utilz': Permission denied
fun stuff ...
> This could be caused by modified rm or some kernel module.
> The easiest way is to boot to knoppix and remove this. Then
> delete the whole system and install new ;-)
if you're gonna re-install ...
- just wipe the disk and install, why bother with knoppix ??
--------
personally... i think any hacked machine should be looked over
carefully to be able to answer the following:
- who broke in
- how did they get in
- why did they break in ( sometimes there's no answer )
- where they came from
- how many times did they come in
- how many prev attempts did they try
- how long before you noticed them
- what other machines did they break into
( esp for those of you that like passwordless logins )
- what text files were read or edited
- which binaries and libraries did they modify
- what extra directories and files exists
- what did they sniff and for how long ( passwds )
- .. endless list ..
- reinstalling a hacked box is the worst thing to do in my book
but by the same token is the best if you don't want to answer
the above questions, esp "how did they break in"
- since they sniffed ytour wire, what's yur new passwd
or are you gonna use the same loginID and passwords ??
( why bother reisntalling if you don't at least change these )
- remove their trojans, apply your patches and see if they
can break in again ... they willl probably be back to knock
on your door again, but more quietly the 2nd time
- change your passwd only on the local console,
and NEVER change passwd remotely
- gazillion things to do after a breakin ...
- it's 1000x cheaper to prevent the initial breakin ..
c ya
alvin
Reply to: