Humm... you're all right, dumping before reboot is much better. Another tip: dump with your own dd/rsync binary copies. Remember: you cannot trust this system.
You can also capture some network traffic and general volatile data (memory) before reboot. BR, Fernando Mercês Linux Registered User #432779 www.mentebinaria.com.br softwarelivre-rj.org @MenteBinaria On Wed, Feb 8, 2012 at 12:40 PM, Repasi Tibor <repasi.ti...@advan-ce.hu> wrote: > But, the most important: think before you act. If you wipe and reinstall the > system, it could be as vulnerable as it was, so it may be rooted before you > have it fully up again. Consider the following: > > - Cut network connection. Having the system off-line you can investigate the > situation undisturbed. However, there is a small chance that the rootkit > eliminates itself when counteraction (network unplug) is detected. > > - Announce the incident. In the company, to customers, and to whom it may > concerns. > > - Think about essential services running on the system. What your business > cannot run without, you should care to restart minimal sufficient services > (probably from some other hosts). > > - Prepare yourself in doing the investigation. A good starting point: > http://www.fish2.com/tct/help-when-broken-into > > - Backup the last state for investigation. Do a backup of all filesystems > prior to reboot (as suggested), than reboot to a clean environment and dump > the HD contents again. > > - Investigate. Find the answers to questions: How the intruder gained root > access? What vulnerability was necessary to do so? What countermeasures are > available on the issue? Can you setup a new system which is immune against > the intrusion? > > - Setup a new and clean system from a latest release and take necessary > action to provide hardened security. > > - Stepwise re-enable services. > > > > On 02/08/2012 03:06 PM, Leonor Palmeira wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I would rather (if it's ok for the server do be down for a while) unplug >> the internet cable and dd (and/or rsync) all the partitions before >> rebooting. >> A lot of information (including swap) is lost during reboot... >> >> Best, >> Leonor Palmeira. >> >> On 08/02/12 14:50, Fernando Mercês wrote: >> >>> >>> I recommend you boot with some live CD system and make a dump of each >>> partition, including swap, with dd. So you can analyze it after wipe >>> your system. >>> >>> This analysis will help you to discover how attacker have gained root >>> access, protect your actual system and feed community with real case >>> information. If you need help, please let me know. >>> >>> Best regards, >>> >>> Fernando Mercês >>> Linux Registered User #432779 >>> www.mentebinaria.com.br >>> softwarelivre-rj.org >>> @MenteBinaria >>> ------------------------------------ >>> II Hack'n Rio - 23 e 24/11 >>> hacknrio.org >>> ------------------------------------ >>> >>> >>> >>> On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber >>> <a...@thangorodrim.de> wrote: >>> >>>> >>>> On Wed, Feb 08, 2012 at 11:53:14AM +0300, v...@lab127.karelia.ru wrote: >>>> >>>>> >>>>> Today I found next things at squeeze. Please help to fix, I've no >>>>> experience in such tasks. >>>>> >>>>> # chkrootkit >>>>> ROOTDIR is `/' >>>>> Checking `ifconfig'... INFECTED >>>>> Checking `netstat'... INFECTED >>>>> >>>> >>>> Don't even try to fix, with the system rooted you cannot trust it. >>>> The only safe course of action is to wipe the system and reinstall it. >>>> >>>> If you need the data on the machine and have no current backups, boot >>>> from a rescue CD (giving you a _clean_ environment) and copy the data >>>> off, then wipe& reinstall. >>>> >>>> >>>> Kind regards, >>>> Alex. >>>> -- >>>> "Opportunity is missed by most people because it is dressed in overalls >>>> and >>>> looks like work." -- Thomas A. >>>> Edison >>>> >>>> >>>> -- >>>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org >>>> with a subject of "unsubscribe". Trouble? Contact >>>> listmas...@lists.debian.org >>>> Archive: http://lists.debian.org/20120208125104.ga18...@thangorodrim.de >>>> >>>> >>> >>> >>> >> >> - -- Leonor Palmeira, PhD >> >> Phone: +32 4 366 42 69 >> Email: mlpalmeira AT ulg DOT ac DOT be >> http://sites.google.com/site/leonorpalmeira >> >> Immunology-Vaccinology, Bat. B43b >> Faculty of Veterinary Medicine >> Boulevard de Colonster, 20 >> University of Liege, B-4000 Liege (Sart-Tilman) >> Belgium >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iQEcBAEBAgAGBQJPMoF4AAoJEKquFGwgRb3zXEgIAIvbk4PP2bBH0V2SQTQc0MD2 >> C0YuVRbWU5DBCQZ83bIcOKDjxMnB4IMpZt3qIeih9pS1V/Ip/zCCL83rTWEieUOY >> k77nHns75cUjcf85krfTs0IcvW22D1UC6Fh63LSDKDQQ6HV5p4B3zFVl7zd9SWlz >> 9rvKjnfSvwJp1Xq0j0d0KpEZ3CAN7ltbJh/3G/ByAcQV1Z7FO0elbpHE0IbGDKnA >> ezVOG23ICzwfXH2SiPKp9kFxwgAPGTD1lnOr27oWQHlxPa7ccwQFWzbyL9kPm1zv >> J4eJ3tfuGI6Iv/dd/o8DW9xcYNw4FsXo61bfcrwlOrni0Tf4/ZPKytnwY6o9pII= >> =MUD3 >> -----END PGP SIGNATURE----- >> >> >> > > > > -- > Best regards / Mit freundlichen Grüßen / Üdvözlettel > > Tibor Répási > > > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/4f328961.4040...@advan-ce.hu > -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cam7p17nv7if9vovwvooctq78dln9s9o_61vgbfzwqnadosv...@mail.gmail.com
