hacked/recovery steps

bruce badouglas at gmail.com
Wed Dec 25 17:51:36 UTC 2013

-Discovered linux/old fedora system was hacked.
-Quick run of rkhunter/chkrootkit revealed hacks,
  plus the root passwd changed, as well as other issues.

Resolution/Steps to recover:
-remove the machine
-given machine was laptop, with 2.5" drive,
 make a couple of copies of the complete drive on
 separate drives, using "slow" usb connection to
 usb drive bays - jesus, this is slow!!
 -I copied the complete drive, ~400G worth of files
  I wanted to have a complete copy of the data files,
   as well as all of the OS stuff as well...
 -the backup/copy will never be used to run a box, as it's

The corrupted laptop drive was initially setup to have
 separate partitions
 -root, apps, home, backup
  -apps contains the "majority" of the actual data..

-Analyse the initial/corrupted machine/system to determine
 what apps are required from the desktop/panels
-Determine what additional apps are required based on the
 rpm analysis
-Determine the required files/dirs from the data partition "apps'
-Determine the additional required files for the dev environment

For the OS/system/apps - inspect/analyse centos to ensure the
 required yum/rpm/repositories exist
-create script/bash to completely rebuild system (except the data)

test out all of this

-create/test a base rsync/backup strategy
-implement rkhunter/chkrootkit for the new restored/reinstalled
-create a faster approach to doing the complete copy/backup
 --using/copying from usb to usb drive is too slow,
   perhaps an external drive bay that allows the internal
   2.5 to be plugged into it, to copy to an attached backup drive
   or to copy via ethernet to an attached drive

Anything else??



More information about the users mailing list