hacked/recovery steps

[bruce]

Reason:
-Discovered linux/old fedora system was hacked.
-Quick run of rkhunter/chkrootkit revealed hacks,
  plus the root passwd changed, as well as other issues.

Resolution/Steps to recover:
-remove the machine
-given machine was laptop, with 2.5" drive,
 make a couple of copies of the complete drive on
 separate drives, using "slow" usb connection to
 usb drive bays - jesus, this is slow!!
 -I copied the complete drive, ~400G worth of files
  I wanted to have a complete copy of the data files,
   as well as all of the OS stuff as well...
 -the backup/copy will never be used to run a box, as it's
  corrupted

The corrupted laptop drive was initially setup to have
 separate partitions
 -root, apps, home, backup
  -apps contains the "majority" of the actual data..

-Analyse the initial/corrupted machine/system to determine
 what apps are required from the desktop/panels
-Determine what additional apps are required based on the
 rpm analysis
-Determine the required files/dirs from the data partition "apps'
-Determine the additional required files for the dev environment
  php/python/javascript

For the OS/system/apps - inspect/analyse centos to ensure the
 required yum/rpm/repositories exist
-create script/bash to completely rebuild system (except the data)

test out all of this

TBD:
-create/test a base rsync/backup strategy
-implement rkhunter/chkrootkit for the new restored/reinstalled
  system
-create a faster approach to doing the complete copy/backup
 --using/copying from usb to usb drive is too slow,
   perhaps an external drive bay that allows the internal
   2.5 to be plugged into it, to copy to an attached backup drive
   or to copy via ethernet to an attached drive


Anything else??

thoughts/comments

thanks