[K12OSN] file attributes

Josh Malone jmalone at nrao.edu
Tue Mar 20 13:42:05 UTC 2012

On 2012-03-20 06:42, Jim Kinney wrote:
> try a dd if=/dev/zero of=/<file path and name> bs=1024 count=1024
> this _should_ overwrite the file(s) for 1M with 0s.
> Also check selinux status with ls -laZ and see if selinux got turned 
> on or
> changed 'getenforce' to show, 'setenforce [01]' to temp change.

Or just do what you really should do when a system gets rooted: 
re-install it.

Personally, I'd be most concerned with finding the initial attack 
vector. Every time we've dealt with a system intrusion before, we always 
discovered how they got in in the first place. Usually it's compromised 
account credentials (read "passwords") that came from either other 
systems or a successful phishing campaign. Turning off SSH should not be 
your ultimate solution for network security.

Did the attackers brute-force your root password? Or did they find some 
remote vulnerability?

If you don't know, to me that's even more reason to re-install the 
system, possibly with a newer release. I've been very happy with my LTSP 
install on RHEL6 and that's rather easy to keep up to date.


        Joshua Malone       Systems Administrator
      (jmalone at nrao.edu)    NRAO Charlottesville
         434-296-0263           www.nrao.edu
         434-249-5699 (mobile)

BOFH excuse #266: All of the packets are empty

More information about the K12OSN mailing list