hacked/recovery steps
bruce
badouglas at gmail.com
Wed Dec 25 17:51:36 UTC 2013
Reason:
-Discovered linux/old fedora system was hacked.
-Quick run of rkhunter/chkrootkit revealed hacks,
plus the root passwd changed, as well as other issues.
Resolution/Steps to recover:
-remove the machine
-given machine was laptop, with 2.5" drive,
make a couple of copies of the complete drive on
separate drives, using "slow" usb connection to
usb drive bays - jesus, this is slow!!
-I copied the complete drive, ~400G worth of files
I wanted to have a complete copy of the data files,
as well as all of the OS stuff as well...
-the backup/copy will never be used to run a box, as it's
corrupted
The corrupted laptop drive was initially setup to have
separate partitions
-root, apps, home, backup
-apps contains the "majority" of the actual data..
-Analyse the initial/corrupted machine/system to determine
what apps are required from the desktop/panels
-Determine what additional apps are required based on the
rpm analysis
-Determine the required files/dirs from the data partition "apps'
-Determine the additional required files for the dev environment
php/python/javascript
For the OS/system/apps - inspect/analyse centos to ensure the
required yum/rpm/repositories exist
-create script/bash to completely rebuild system (except the data)
test out all of this
TBD:
-create/test a base rsync/backup strategy
-implement rkhunter/chkrootkit for the new restored/reinstalled
system
-create a faster approach to doing the complete copy/backup
--using/copying from usb to usb drive is too slow,
perhaps an external drive bay that allows the internal
2.5 to be plugged into it, to copy to an attached backup drive
or to copy via ethernet to an attached drive
Anything else??
thoughts/comments
thanks
More information about the users
mailing list