Re: how to fix rootkit?

On 2/8/12 09:53 , volk@lab127.karelia.ru wrote:
> Today I found next things at squeeze. Please help to fix, I've no
> experience in such tasks.

As Fabian already mentioned, you cannot know what an attacker changed in
the system (especially now that chkrootkit found a rootkit), therefore
you cannot trust anything on the system that you might use for
"repairing" it. The only way is to do a clean reinstall and restore user
data from backup. You could also get the configuration files from
backup, but check manually for changes (your latest backups might have
been made after the attack, the bad guy might have changed some
configuration files as well). I'd check for executable files in users'
directories and contents of their .profile and .bashrc as well.

The question is how the intruder got root access in the first place -
without finding the fixing that, you might get "owned" again, as soon as
you reinstall the system. Perhaps chapter 11 of the "Securing Debian
Manual" can help:

http://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html

Good luck!

Laurentiu

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: http://lists.debian.org/4F323523.1050606@googlemail.com

• This message: [ Message body ]
• Next message: Alexander Schreiber: "Re: how to fix rootkit?"
• Previous message: Fabian Nöldgen: "Re: how to fix rootkit?"
• In reply to: volk_at_nospam: "how to fix rootkit?"
• Next in thread: Mike Mestnik: "Re: how to fix rootkit?"
• Reply: Mike Mestnik: "Re: how to fix rootkit?"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]