Alfred von Campe wrote: > Anyone recognize this root kit (if that is what it is)? I've disabled > the backup account, and re-enabled port forwarding on my router (so I > can access the system from home). Other than deleting these files, is > there anything else I should worry about? I'd rather not re-install the > OS... My advice is to reinstall too. Cleaning compromised machine is error prone job. Especially if that is something you have never done before. Have you been running anything like Tripwire on that box? Without it (or somethine similar), and without its database that was stored off the machine or on read-only media (CD/DVD) I'd be very reluctant to even attempt cleaning the machine. Anyhow, if you decide to proceed with cleaning attempt (and not reinstall), boot from into the rescue mode from installation CD. That way you'll be using clean kernel and binaries to examine the system. Do not chroot into compromised file systems, since this could simply trigger loading of rootkit (and than you won't see anything). If you haven't been running tools like Tripwire, you could make fresh installation on some spare system, undo prelink stuff on both machines (prelink changes your binary files), create database on clean system, copy it to the compromised system and run check. This should find all changed, added and removed files (if you do it properly), as long as you run it from rescue mode. The rpm in verify mode will find changed files, however it will not find changes in configuration files. It also won't be able to find added files (for example kernel modules that are supposed to hide files from you and tools such as rpm and/or tripwire). But it might be good start. Again, run rpm from rescue mode, and do not chroot. You don't want to use (potentially modified) rpm from the file system, you want to use clean rpm binary from installation media (it has couple of options to point it to where the root file system is mounted). You could also try to remove all kernels, than manually remove kernel directories in /lib/modules, and reinstall kernel (again from rescue mode, and avoid chrooting if possible). This should get rid of additional kernel modules that were part of rootkit. There's plethora of other stuff to do or try. But even if I went along and made this posting 10 times longer than it already is, you wouldn't be 100% sure you cleaned the machine. Again, reinstall is really your best friend here. You'll probably spend way more time attempting to clean up, than if you were simply to reinstall and restore data (and only data, not config files or anything else, and watch for config files that might be part of data) from backup.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos