Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My server was comprimised this Saturday night by an attacker using an exploit against awstats. The intruder attempted to replace several binary files but only succeeded in knocking the computer completely off the network. I've removed all remnants of the intrusion with the exception of these two modified files--
/sbin/ifconfig
/sbin/init
Even as root I cannot delete these files. When I boot off the mandrake install disk in rescue mode, it doesn't mount the right drive for me to be able to mess with these files (that's just my own ignorance, not a complication of the intrusion).
I would reinstall the OS (Mandrake 10), but I've got too many custom settings for mail, web, web applications, database, that I don't want to have to recreate. That's why I'm attempting to manually fix this problem.
Bad idea. If someone that you don't trust has had root access for even only a few minutes, wipe the machine. Back up whatever settings you feel you need first, but you shouldn't let this box remain intact and dirty. If you don't wipe it every time there is a problem with the box this incident will lie in the back of your mind and bother you - did I really get everything off?
I understand the importance of a clean wipe, but in this case, the downtime is killing me. I absolutely must get this system back online ASAP.
As for the risk that this box might do something sinister in the future, I've got logging on the physically isolated router that I can use to monitor its behavior.
I agree 100% with wiping this box clean and installing from scratch. I hear you on the downtime issue, but if you want to prevent future downtime you need to be completely sure you have removed the rootkit / bad software.
Before doing so take backups so that you have old data and a snapshot of system files that you will need in case you will be filing a law suit.
If you do a good backup you should be able to wipe and have a working system within the hour. Tar up the entire /etc directory as well as the /home and /root directory if necessary. Grab /var but don't even try to use it to restore - just keep it on hand in case you need to glance at a log file or something. Only restore file by file to make sure that you don't get anything tainted. I've been there before - the peace of mind is completly worth the time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.