remove Eggdrop on my webserver

hansf · 09-25-2006, 07:16 AM

Hello folks.
I have just found out that some one have installed eggdrop on my webserver. When searching the web i can only find howto install it. The person or who ever has also changed the root password, but that one is ok now.
I have found eggdrop in /home/egg and /usr/share/.a/eggdrop
can i remove these dir's and put the box on the cable again or do i have to do something more to get rid of the shit.

regards
Hansf

acid_kewpie · 09-25-2006, 07:22 AM

well it depends how they installed it as to how they uninstall it, but look, you've already had your root account compromised... in theory you can *never* be sure it's ok. you can run rkhunter to search for other things they may have done, but there are plenty of things they could have changed and you'll never have a clue. only sure fire way... reinstall the box.

hansf · 09-25-2006, 07:42 AM

Hey.
That was fast. I have just pressed the button.
I was just hoping that i dont have to reinstall it. There are lots of data and account's on it.
but i am goning to try the tool you suggested for me.

Thanks.
Hansf

unSpawn · 09-25-2006, 06:12 PM

I was just hoping that i dont have to reinstall it.
Unfortunately a root account compromise means unlimited access to any resources so yes, you will have to. There is no chance of recovering from this situation.

Please start by reading Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html. Then:
- stop using the box and do not allow the box to be used. This and the next two steps should be executed ASAP, there are no valid reasons to wait.
- raise your firewall to only allow access from your management IP or range, then bring down all services that are not vital to management. Basically you will only need SSH to backup stuff.
- notify any users the box was compromised. They should inspect their boxen for anomalous activity and change passwords.
- Prepare backups but make sure to not backup binaries. Store backups separately and do not use them for recovery, only reference unless you have means to verify their contents integrity. Do not use old backups for recovery unless you can make onehundred percent certain the compromise was not due to flawed software or misconfiguration before the backup date.
- Repartition, reformat, re-install from scratch.
- Harden your box properly. See the LQ FAQ: Security references: http://www.linuxquestions.org/questi...threadid=45261

If you would like to gain more indepth knowledge about your compromise please read Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html post any info you got but please perform the steps above first and with the highest priority.

hansf · 09-26-2006, 03:36 AM

Unfortunately a root account compromise means unlimited access to any resources so yes, you will have to. There is no chance of recovering from this situation.
Point taken. Now i know what to do :-)
Thank you very mutch

Regards
Hans F