Ack! I've been rooted...

alan alan at clueserver.org
Fri Feb 2 17:33:32 UTC 2007


On Fri, 2 Feb 2007, Aaron Konstam wrote:

> On Thu, 2007-02-01 at 18:42 -0600, Chris Mohler wrote:
>>> You can skip steps 1 through 3.
>>> Backup all data that you know for certain is still safe, wipe the disk entirely,
>>> and do a clean reinstall. If the box was rooted, there is no way to determine
>>> the extent of the intrusion, and therefore any attempts to replace solely the
>>> compromised aspects of the system would be irrelevant.
>>> --
>>
>> Will rsync operate without cp, ls, etc?
>>
>> Chris
>>
> what does rsync have to do with ls or cp? Or am I missing something

Most rootkits replace ls and cp in order to make the other peieces 
"invisible".

Don't use rsync to try and fix the problem.  That is just going to make a 
big mess and it will not remove the problem.

If they have rooted your system, there is at least one backdoor installed. 
(Probably more.)  You also have to look at all of the accounts installed, 
the kernel modules loaded, the processes running, etc.  The current 
rootkits install crap all over the place.  Unless you have a very small 
install and a LOT of time, you are not going to find them all.

Wipe the disc and reinstall.

-- 
"Invoking the supernatural can explain anything, and hence explains nothing."
                   - University of Utah bioengineering professor Gregory Clark




More information about the users mailing list