[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Ack! I've been rooted...

Well, through no one's fault but my own our file server has been compromised.

It looks like the SHV5 kit.  I plan a reformat/reinstall tomorrow and
I was wondering if anyone had advice.  I discovered that some of the
coreutils had been replaced with compromised versions, so I (stupidly)
downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried
'rpm --Uvh coreutils'.  Should have researched that a bit, because (as
root) I don't have permission to remove/rename the hacked binaries!
Oops. For the time being, I've (physically) removed the server's
network connection.

So - the plan:
1. telinit 1
2. try to reinstall coreutils
3. telinit 3
4. rsync the last week's worth of data to another machine
5. reformat/reinstall
6. create new home dirs
7. rsync the data back - do a recursive chown/chmod
8. run rkhunter

Any thoughts on this plan of attack are welcome.

And of course the moral of all of this is UPDATE and DON'T RUN
UNNEEDED WEB SERVICES.  This happened on a FC2 server (I know ;) ),
and possibly via the SWAT or phpMyAdmin web interfaces.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]