From the book I read, they suggest a couple of things to do after a break-in.

1. Take the system into a single-user mode.
2. Turn off all official root processes and all user processes.
Anything lest over may be from the hacker.

My question is how to take the system into a single-user mode & how to turn off all official root processes and all user processes.

Thanks in advance

Welcome to LQ!

To go to single user mode exit the X window system and issue "init 1" as root.

To turn off processes issue "ps aux" to see the running processes, then "kill pid" (pid = process id number).

If that doesn't do what you want, Google for "ckrootkit" and go with it.

Besides the fact I like what you're doing (reading which means preparing which is a Good Thing) a few remarks if I may:
- finding leftovers will only work if the processes where not hidden by a rootkit. If that is the case you may find evidence by using additional tools but that depends on what rootkit is used. Sometimes it may be as simple as touching a file or sniffing network traffic (kiddies love IRC).
- One should not trust only the processes' argv[0] to determine the functionality of a process. Stupid example: a cursory glance at the process list shows a process "/usr/bin/httpd 1m" (which was set up as '/bin/doexec /bin/sleep /usr/bin/httpd 1m') while using 'readlink -f /proc/$PID/exe' or 'lsof -w -n -p $PID' reveal it's not a HTTP daemon but /bin/sleep.
- finding *no* leftovers is no "evidence" the process list is clean. If there is any unexplainable behaviour out of the ordinary, any gut feeling, any doubt at all *do act on it* and not shrug it off.
Next to that use a checklist and don't skip steps without good reason. A checklist helps you to go through necessary steps in an orderly fashion and making sure you don't miss checking things. At this forum we promote the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html. Other links of interest you may find in the (slightly aging) LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261.

Good luck.


* One problem is disturbing the crime scene. If there's any suspicion of malicious activity you shouldn't introduce things without reasoning that could wipe evidence. Your options are: installing auditing tools right after a clean O.S. install, running tools from CDROM or if that is impossible accepting the trade-off and install post-incident. In the latter case at least build the toolkit on another box, see if you can run them from /dev/shm and if that won't work (no benefit since already too much swapping, need of "real" fs) install on disk.