On Sun, 2003-06-29 at 17:15, Jason Lim wrote: > Okay... so supposing the whole system needs to be installed, we can make a > backup of the home directory now... but after we restore everything, what > is to stop the hacker immediately re-gaining access again? > > The server is a fully updated "stable" debian system. In fact, it was > updated just yesterday. > > I'm thinking that even if we do all the trouble of a complete > re-installation of the entire system, it won't fix this as it will get > re-hacked again, especailly since we can't see what is going on anymore. > > What do you think? :-(
I think you need to find out how they got in. look around for .bash_history files to see what's in them (particularly in /root, but with some compromises they get in with other directories as "HOME", so they can be other places, like /). Once you get compromised, it's pretty darn hard to get clean without starting fresh. Some rootkit compromises do weird stuff like infect every binary file you even 'ls'. One system I saw had been compromised via an ssh vulerability (old ssh) and rootkit'ed... there was a very good security guy doing the (remote) cleanup, and he ended up having to install buisybox just so that he had a clean environment he could work from. Dispite it being damn hard to clean up, it was just the work of a script-kiddy because he left .bash_history files behind that showed everything he did. moral of the story; apply security updates ASAP... -- ---------------------------------------------------------------- Donovan Baarda http://minkirri.apana.org.au/~abo/ ----------------------------------------------------------------
