OK, moving on. In short: Inform, backup, install, harden.
Rootkit installations are quite exceptional these days. Compromised systems can be used as springboard. Without further analysis there is no time line or point of origin. If this machine is owned by the institution or is part of an institutional network then the IT dept should be informed of the breach so they can decide if an investigation is needed or not. If your machine was used by other people (local account or as authenticated user of a service) then inform them of the breach as well.
If you kept regular backups fine, else backup 0) only human readable configuration files from /etc (and other common locations like /usr/local/etc)
1) your /home/ directory contents and 2) the whole of /var to external storage. The /etc configuration files (no passwd, group or shadow!) serve as reference, meaning you copy relevant lines but not complete files and not without inspection. Your /home/ directory should contain configuration files and documents but not any binaries. Backing up /var is for reference too (wrt log analysis). If you have a router then change the admin password and ensure any port forwarding is disabled for now.
Before you install an (any) OS you should be aware of the basics. CentOS documentation resides at http://www.centos.org/docs/
and TUV (aka RHEL) documentation resides at https://access.redhat.com/knowledge/.../?locale=en-US
. Review at least the Installation and Deployment guides. If your IT department has installation then follow those.
Use the CentOS 6.3
DVD (or netboot ISO) and let the installer reformat the partitions. Select workstation mode
, meaning an OS without network accessible services
. When creating accounts ensure you change the password for root and for your personal account. Do not install software you do not need right now
If your IT department has hardening guidelines follow those. Check the firewall. For a quick can run 'yum install -y system-config-firewall-tui && system-config-firewall-tui' and ensure no unwanted ports are open. Check SELinux is activated (system-config-securitylevel). Check unwanted and unnecessary services are deactivated (chkconfig or system-config-services). Check basic authentication (the "options" section of system-config-authentication). Check user accounts (passwd and chage or system-config-users) for password aging, shell usage.
Install or check availability of: iptables, audit service, Sudo, AIDE (or tripwire), GNU Tiger (www.nongnu.org/tiger/
), Logwatch (set detail to "High" and configure a non-root email address), fail2ban (the latter requires the EPEL
repo. Run Tiger and review its report. Review how you're going to be alerted of crucial software updates. Check and test your backup process. Confirm the warnings and alerts you're sending goes to an email address where somebody actually regularly reads email. Otherwise alerting makes no sense.
Review the RHEL 6 Security Guide
, the NSA Hardening Tips For Default Installation of RHEL 5
and the NSA Guide to the Secure Configuration of Red Hat Enterprise Linux 5
. Finish off by doing another Tiger run and comparing the reports, address any leftover issues and if you want to check against the Cisecurity RHEL 5 benchmark
V. The Rest ;-p
Now you have a basic workstation you can add network services to. Before you do that this would be a good moment to make a baseline backup.
That's about it. Any questions just ask.
 A minimalistic workstation firewall (/etc/sysconfig/iptables) could look like:
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
 Change the passwords for any on-line services you use while you're at it.