On Tue, Apr 20, 2010 at 11:23, Kousik Maiti <maiti.kousik@xxxxxxxxx> wrote: > Hi list, > This may be irrelevant question. > I have a system which was successfully attached by some hackers . I want > to diagnostics it. I tried to google it but don't get any doc . Is there any > documentation so that I can check the system? First of all, don't trust your system anymore. Reboot, pick a live CD distro, better the ones like Helix or FCCU that specifically made for forensic need, then boot it. This is done to avoid any active rootkit or modified shared libs to be active. Then check your whole system using programs like rkhunter. Also, it also worth to check for viruses using ClamAV or any other anti virus. If you're using rpm (I think other packaging system could do it too, but I am not suer), you can check the validity of the files using rpm -Va. IIRC, it is using MD5 hash. This doesn't guarantee you will found and eventually get rid all the rootkit, backdoor the crackter might implant to your system. IMHO, probably the best way to make sure you will start clean is backup your data to somewhere else and reinstall your system. NB: You might also want to do live memory forensic, but it is quite hard to do. -- regards, Mulyadi Santosa Freelance Linux trainer and consultant blog: the-hydra.blogspot.com training: mulyaditraining.blogspot.com -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
