LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2006, 08:16 AM   #1
hansf
LQ Newbie
 
Registered: Sep 2006
Posts: 3

Rep: Reputation: 0
remove Eggdrop on my webserver


Hello folks.
I have just found out that some one have installed eggdrop on my webserver. When searching the web i can only find howto install it. The person or who ever has also changed the root password, but that one is ok now.
I have found eggdrop in /home/egg and /usr/share/.a/eggdrop
can i remove these dir's and put the box on the cable again or do i have to do something more to get rid of the shit.

regards
Hansf
 
Old 09-25-2006, 08:22 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well it depends how they installed it as to how they uninstall it, but look, you've already had your root account compromised... in theory you can *never* be sure it's ok. you can run rkhunter to search for other things they may have done, but there are plenty of things they could have changed and you'll never have a clue. only sure fire way... reinstall the box.
 
Old 09-25-2006, 08:42 AM   #3
hansf
LQ Newbie
 
Registered: Sep 2006
Posts: 3

Original Poster
Rep: Reputation: 0
eggdrop

Hey.
That was fast. I have just pressed the button.
I was just hoping that i dont have to reinstall it. There are lots of data and account's on it.
but i am goning to try the tool you suggested for me.

Thanks.
Hansf
 
Old 09-25-2006, 07:12 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I was just hoping that i dont have to reinstall it.
Unfortunately a root account compromise means unlimited access to any resources so yes, you will have to. There is no chance of recovering from this situation.

Please start by reading Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html. Then:
- stop using the box and do not allow the box to be used. This and the next two steps should be executed ASAP, there are no valid reasons to wait.
- raise your firewall to only allow access from your management IP or range, then bring down all services that are not vital to management. Basically you will only need SSH to backup stuff.
- notify any users the box was compromised. They should inspect their boxen for anomalous activity and change passwords.
- Prepare backups but make sure to not backup binaries. Store backups separately and do not use them for recovery, only reference unless you have means to verify their contents integrity. Do not use old backups for recovery unless you can make onehundred percent certain the compromise was not due to flawed software or misconfiguration before the backup date.
- Repartition, reformat, re-install from scratch.
- Harden your box properly. See the LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261


If you would like to gain more indepth knowledge about your compromise please read Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html post any info you got but please perform the steps above first and with the highest priority.
 
Old 09-26-2006, 04:36 AM   #5
hansf
LQ Newbie
 
Registered: Sep 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Unfortunately a root account compromise means unlimited access to any resources so yes, you will have to. There is no chance of recovering from this situation.
Point taken. Now i know what to do :-)
Thank you very mutch

Regards
Hans F
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Eggdrop help needed KiLLaWaBBiT Linux - Software 2 02-08-2005 01:07 PM
Eggdrop Wolf-67 Linux - Newbie 0 10-07-2004 11:25 AM
eggdrop nullpt *BSD 2 06-06-2004 12:41 AM
Cygwin and Eggdrop Crim Linux - Newbie 1 09-23-2003 05:16 PM
Eggdrop Help! edude Linux - Software 3 09-21-2002 01:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration