Ack! I've been rooted...
Chris Mohler
cr33dog at gmail.com
Thu Feb 1 23:58:37 UTC 2007
Well, through no one's fault but my own our file server has been compromised.
It looks like the SHV5 kit. I plan a reformat/reinstall tomorrow and
I was wondering if anyone had advice. I discovered that some of the
coreutils had been replaced with compromised versions, so I (stupidly)
downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried
'rpm --Uvh coreutils'. Should have researched that a bit, because (as
root) I don't have permission to remove/rename the hacked binaries!
Oops. For the time being, I've (physically) removed the server's
network connection.
So - the plan:
1. telinit 1
2. try to reinstall coreutils
3. telinit 3
4. rsync the last week's worth of data to another machine
5. reformat/reinstall
6. create new home dirs
7. rsync the data back - do a recursive chown/chmod
8. run rkhunter
Any thoughts on this plan of attack are welcome.
And of course the moral of all of this is UPDATE and DON'T RUN
UNNEEDED WEB SERVICES. This happened on a FC2 server (I know ;) ),
and possibly via the SWAT or phpMyAdmin web interfaces.
Chris
More information about the fedora-list
mailing list