Can't reboot, shutdown, or init 3 [I've been root-kitted, please advise]
Scot L. Harris
webid at cfl.rr.com
Sun Apr 3 17:01:08 UTC 2005
On Sun, 2005-04-03 at 08:19, Arthur Pemberton wrote:
> Scot L. Harris wrote:
>
> >
> >Bare metal re-install is the only real thing to do. I hope you had
> >backups of your important data from a time before the suspected root kit
> >was installed.
> >
> >Any idea on how they got in? phpnuke on the system?
> >
> >
> >
> I downloading Knoppix now so I can recover my maildirs. Most other stuff
> should be up-to-date enough from my last install. I can't be 100% sure
> that I was not comprised since my last backup. But I only really backup
> text files (configs, mail, webpages, scripts, sql dumps). I don't think
> I had phpnuke installed. I had PhpBB installed. But I disabled it since
> I heard of the security prob in it awhile back.
>
Sounds like you are doing the right thing. The reason I asked about the
phpnuke package is just like phpbb there are known security holes in
those packages.
> I only sign I had time find was that vsftpd's log file was missing..
> It's been awhile now attempts have been made to get in via ssh and
> guessing login username/passwords, btu those attempts seemed to be just
> bots , and were never even close. I guess when I mount the partion ro
> I'll take a quick look a the logs.
Make sure you change all passwords used, don't re-use any passwords from
the old system, permanently retire any that you used on that system.
Review all packages you install and check all services made available
over the network.
Any possibility this was done by someone that was given access to the
system? You may want to check various user accounts you have granted on
the system to see if there is anything suspicious there.
--
Scot L. Harris
webid at cfl.rr.com
HELP! MY TYPEWRITER IS BROKEN!
-- E. E. CUMMINGS
More information about the users
mailing list