old FC haceked system

bruce badouglas at gmail.com
Wed Dec 18 17:49:04 UTC 2013


Got an old FC system that was hacked. - I know - my own fault
(perhaps) should have updated, etc,,,

The system is vital, need to extract all/as much of the files from the
700G drive as possible. I'm going to blow away the corrupt system,
replacing the system with centos 6.5.

On the corrupted machine, when it was setup, the partitions where such
that most of the data was written to the /apps partition - so
hopefully most of what I really need will be there. However, I'm
pretty sure that a chunk of other useful/critical stuff was placed on
other dirs within the drive.

I'd like comments/suggestions on my approach to resolve the issue:

-Setup new machine with a couple of drive bays
-take the corrupted drive, insert it in new machine's drive bay
-insert clean 750G drive in the other drive bay
-from the new machine, do a complete "find" on the corrupted
 drive to get a "complete" list of files/dirs/tree
-go down the list, identifying the initial dirs/files that are
important/data, that aren't part of the OS
   --copy these dirs/files to a tmp area on the clean drive, maintaining
     the dir structure
   -repeat this process untill I pretty much get the data files
--go through a complete process, trying to identify all the apps/functions
  that were added to the corrupt system.
  -identify these apps, as well as the rpms required to generate the functions
 -create a script to auto install these apps/functions from the associated
  centos/associated centos repos
-handle all mysql stuff by doing a mysqldump from the good machine,
 reading the mysql data from the corrupted drive, and then copying
 reinserting the mysql data into the new mysql on the clean/tmp machine
-identify any dev languages/environments (py/gearman/perl/php/etc..)
 and the required rpms to install or run to recreate the env on the
 clean/tmp machine

-identify all of the "services" running on the corrupt system/drive,
 and clean/install the rpms/services on the clean/tmp machine/drive
-change all ssh keys for the new clean/tmp drive/machine..
-change all passwds on the new machine
-for any web sites, change all passwds

-the goal is to recreate the file system/dirs/files from the corrupt
 machine/drive on the new clean/tmp machine as much as possible

-however, once I've gone through all of the above, I still need to
know how to lock down services, how to harden the overall system..

so, the more comments that are on point the better.


More information about the users mailing list