Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
My server was comprimised this Saturday night by an attacker using an exploit against awstats. The intruder attempted to replace several binary files but only succeeded in knocking the computer completely off the network. I've removed all remnants of the intrusion with the exception of these two modified files--
Even as root I cannot delete these files. When I boot off the mandrake install disk in rescue mode, it doesn't mount the right drive for me to be able to mess with these files (that's just my own ignorance, not a complication of the intrusion).
I would reinstall the OS (Mandrake 10), but I've got too many custom settings for mail, web, web applications, database, that I don't want to have to recreate. That's why I'm attempting to manually fix this problem.
Bad idea. If someone that you don't trust has had root access for even only a few minutes, wipe the machine. Back up whatever settings you feel you need first, but you shouldn't let this box remain intact and dirty. If you don't wipe it every time there is a problem with the box this incident will lie in the back of your mind and bother you - did I really get everything off?
I agree 100% with wiping this box clean and installing from scratch. I hear you on the downtime issue, but if you want to prevent future downtime you need to be completely sure you have removed the rootkit / bad software.
Before doing so take backups so that you have old data and a snapshot of system files that you will need in case you will be filing a law suit.
If you do a good backup you should be able to wipe and have a working system within the hour. Tar up the entire /etc directory as well as the /home and /root directory if necessary. Grab /var but don't even try to use it to restore - just keep it on hand in case you need to glance at a log file or something. Only restore file by file to make sure that you don't get anything tainted. I've been there before - the peace of mind is completly worth the time.