Re: Ack! I've been rooted...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday, Feb 1st 2007 at 17:58 -0600, quoth Chris Mohler:

=>Well, through no one's fault but my own our file server has been compromised.
=>
=>It looks like the SHV5 kit.  I plan a reformat/reinstall tomorrow and
=>I was wondering if anyone had advice.  I discovered that some of the
=>coreutils had been replaced with compromised versions, so I (stupidly)
=>downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried
=>'rpm --Uvh coreutils'.  Should have researched that a bit, because (as
=>root) I don't have permission to remove/rename the hacked binaries!
=>Oops. For the time being, I've (physically) removed the server's
=>network connection.
=>
=>So - the plan:
=>1. telinit 1
=>2. try to reinstall coreutils
=>3. telinit 3
=>4. rsync the last week's worth of data to another machine
=>5. reformat/reinstall
=>6. create new home dirs
=>7. rsync the data back - do a recursive chown/chmod
=>8. run rkhunter
=>
=>Any thoughts on this plan of attack are welcome.
=>
=>And of course the moral of all of this is UPDATE and DON'T RUN
=>UNNEEDED WEB SERVICES.  This happened on a FC2 server (I know ;) ),
=>and possibly via the SWAT or phpMyAdmin web interfaces.


I read this thread and I have a question on why this problem is not 
handled in a more direct approach instead of the blood&guts reload 
approach: If you simply reinstall the rpm package (something like)

rpm --replacepkgs -vh rpm-4.4.1-22.i386.rpm 

then you know that the binaries are good. From there all you have to do is 

rpm -Va

and then look at what problems come out. It shouldn't take long.

Use the force Luke!

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux