Re: hacked server
No not as a mirror.
No not as raid.
Just online/available but not in $PATH, not booted from.
BIOS boots from typically CDROM first, IDE0 primary second.
If your drive is on IDE1 (or SATA1), BIOS shouldn't load
it's boot sector, and Linux shouldn't mount it or run
anything off it unless you tell it to (DON'T).
Heck, to feel safe, if and when you mount it, mount it with
-o noexec, which keeps any binaries from being executed. Of
course this may be a no-op right now- the manpage says "This
trick fails since Linux 2.4.25 / 2.6.0".
According to Jon Miller,
> Wouldn't the same rootkits be on the secondary? In a mirror it writes to the primary then writes to the secondary drive. I plan to keep the drive intact since I may need files from the drive(s).
>
> >>> Tony Godshall <togo@of.net> 3:47:57 pm 18/03/2006 >>>
>
> If it was me, I'd move the drive to secondary and get a new
> drive for primary. Then you can copy and diff and whatever.
> If you forgot something, no worries, it's mounted over
> there at /olddrive/home/ or /olddrive/etc
>
> According to Jon Miller,
> > I have a hacked server that has a few rootkits installed. I'm going to rebuild this using the following procedure:
> > 1) backup data files
> > 2) copy /etc/*.conf
> > 3) either make an image of the system and then blow it away or get new drives.
> >
> > Have I missed out on anything?
> >
> >
> > Thanks
> >
> > Jon L. Miller, ASE, CNS, CLS, MCNE, CCNA
> > Director/Sr Systems Consultant
> > MMT Networks Pty Ltd
> > http://www.mmtnetworks.com.au
> > Resellers for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet, Sophos Anti-Virus, CA Products
> >
> > "I don't know the key to success, but the key to failure
> > is trying to please everybody." -Bill Cosby
>
> Content-Description: HTML
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML><HEAD>
> > <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
> > <META content="MSHTML 6.00.2800.1528" name=GENERATOR></HEAD>
> > <BODY style="MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px">
> > <DIV>I have a hacked server that has a few rootkits installed. I'm going
> > to rebuild this using the following procedure:</DIV>
> > <DIV>1) backup data files</DIV>
> > <DIV>2) copy /etc/*.conf</DIV>
> > <DIV>3) either make an image of the system and then blow it away or get new
> > drives.</DIV>
> > <DIV> </DIV>
> > <DIV>Have I missed out on anything?</DIV>
> > <DIV> </DIV>
> > <DIV> </DIV>
> > <DIV>Thanks</DIV>
> > <DIV> </DIV>
> > <DIV>Jon L. Miller, ASE, CNS, CLS, MCNE, CCNA<BR>Director/Sr Systems
> > Consultant<BR>MMT Networks Pty Ltd<BR><A
> > href="http://www.mmtnetworks.com.au";>http://www.mmtnetworks.com.au</A><BR>Resellers
> > for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet, Sophos
> > Anti-Virus, CA Products</DIV>
> > <DIV> </DIV>
> > <DIV>"I don't know the key to success, but the key to failure<BR> is trying
> > to please everybody." -Bill Cosby</DIV>
> > <DIV> </DIV>
> > <DIV> </DIV></BODY></HTML>
>
>
> --
>
> Best Regards,
>
> Tony
Content-Description: HTML
>
> Wouldn't the same rootkits be on the secondary? In a mirror it writes
> to the primary then writes to the secondary drive. I plan to keep the
> drive intact since I may need files from the drive(s).
> >>> Tony Godshall <togo@of.net> 3:47:57 pm 18/03/2006 >>>
> If it was me, I'd move the drive to secondary and get a new
> drive for primary. Then you can copy and diff and whatever.
> If you forgot something, no worries, it's mounted over
> there at /olddrive/home/ or /olddrive/etc
> According to Jon Miller,
> > I have a hacked server that has a few rootkits installed. I'm going
> to rebuild this using the following procedure:
> > 1) backup data files
> > 2) copy /etc/*.conf
> > 3) either make an image of the system and then blow it away or get
> new drives.
> >
> > Have I missed out on anything?
> >
> >
> > Thanks
> >
> > Jon L. Miller, ASE, CNS, CLS, MCNE, CCNA
> > Director/Sr Systems Consultant
> > MMT Networks Pty Ltd
> > [1]http://www.mmtnetworks.com.au
> > Resellers for: Novell Gold Partner, Cisco Partner, Peopletelecom,
> Westnet, Sophos Anti-Virus, CA Products
> >
> > "I don't know the key to success, but the key to failure
> > is trying to please everybody." -Bill Cosby
> Content-Description: HTML
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> > <HTML><HEAD>
> > <META http-equiv=Content-Type content="text/html;
> charset=iso-8859-1">
> > <META content="MSHTML 6.00.2800.1528" name=GENERATOR></HEAD>
> > <BODY style="MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px">
> > <DIV>I have a hacked server that has a few rootkits installed.
> I'm going
> > to rebuild this using the following procedure:</DIV>
> > <DIV>1) backup data files</DIV>
> > <DIV>2) copy /etc/*.conf</DIV>
> > <DIV>3) either make an image of the system and then blow it away or
> get new
> > drives.</DIV>
> > <DIV> </DIV>
> > <DIV>Have I missed out on anything?</DIV>
> > <DIV> </DIV>
> > <DIV> </DIV>
> > <DIV>Thanks</DIV>
> > <DIV> </DIV>
> > <DIV>Jon L. Miller, ASE, CNS, CLS, MCNE, CCNA<BR>Director/Sr
> Systems
> > Consultant<BR>MMT Networks Pty Ltd<BR><A
> >
> href="[2]http://www.mmtnetworks.com.au";>[3]http://www.mmtnetworks.com.
> au</A><BR>Resellers
> > for: Novell Gold Partner, Cisco Partner, Peopletelecom, Westnet,
> Sophos
> > Anti-Virus, CA Products</DIV>
> > <DIV> </DIV>
> > <DIV>"I don't know the key to success, but the key to
> failure<BR> is trying
> > to please everybody." -Bill Cosby</DIV>
> > <DIV> </DIV>
> > <DIV> </DIV></BODY></HTML>
> --
> Best Regards,
> Tony
>
> References
>
> 1. http://www.mmtnetworks.com.au/
> 2. http://www.mmtnetworks.com.au/
> 3. http://www.mmtnetworks.com.au</A
--
Best Regards,
Tony
Reply to: