The problem is that no matter how I try the 7.2 install boots and it is driving me bananas !
The 7.2 disk is your master, and most likely has the bootloader is in the MBR. Changing this would change the contents of the disk, which is something you DO NOT WANT when doing basic forensics...
I agree offered solutions should work, but Cyph3r7's first question should draw your attention first. In should be "easier" to detach the 7.2 disk, attach the 9.2 disk as master, install and reattach the 7.2 as readonly slave. If it was already part of the 7.2 box *before* the compromise, you should have backupped that one first, and don't forget to nuke it before installing.
If you're still unable to get 9.2 going have a look at the FIRE/Biatchux (
http://biatchux.sourceforge.net/) forensics cd. Kinda cool, because now you can use the 9.2 disk (since you prolly didnt back it up before messing with it) as dump to hold the image of the 7.2 disk. Remember to work on A COPY of the 7.2 image, and if you don't keep logs of what you do to the image, at least try working under "script".
I found it had been compromised via a LKM hack and a rootkit had been installed.
If all of this didn't work you can boot the FIRE cdr or 9.2 cdr (in rescue mode) and you may be able to mount the 7.2 disk (readonly!) and list the contents. Just to satisfy my curiosity:
What anomalies have you found in the logs?
Are the contents of the autentication files changed?
If you run rpm in verify mode, what md5sums changed?
Which rootkit was installed? If unknown, what's the listing of visible files?
What LKM was installed? If unknown, what's the listing of visible files?
