rootkit?
Les Mikesell
lesmikesell at gmail.com
Sun Dec 11 15:41:36 UTC 2005
On Sun, 2005-12-11 at 00:20, Kam Leo wrote:
> That's easy if all you had to back up were databases and globally
> installed applications. If you have lots of users who have lots of
> data plus locally installed applications how do you decide what is
> worth replicating and what needs to be trashed?
If you have important data you should have backups. I once
recovered a compromised machine without a re-install by
restoring a backup of the whole machine into a subdirectory
of another, then copying back the original ssh and rsync
and running 'rsync -essh -avn ...' between the current
and backup copies. This will identify every modified
file, letting you put the originals back piecemeal without
losing current data. However, this was some time ago
and even then the rootkit had set the 'immutable' bit
on some of the modified programs so you couldn't fix
them without an extra chattr step and now they might be
even smarter and do tricks with the shared libraries.
---
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-list
mailing list