On Thursday, Feb 1st 2007 at 17:58 -0600, quoth Chris Mohler: =>Well, through no one's fault but my own our file server has been compromised. => =>It looks like the SHV5 kit. I plan a reformat/reinstall tomorrow and =>I was wondering if anyone had advice. I discovered that some of the =>coreutils had been replaced with compromised versions, so I (stupidly) =>downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried =>'rpm --Uvh coreutils'. Should have researched that a bit, because (as =>root) I don't have permission to remove/rename the hacked binaries! =>Oops. For the time being, I've (physically) removed the server's =>network connection. => =>So - the plan: =>1. telinit 1 =>2. try to reinstall coreutils =>3. telinit 3 =>4. rsync the last week's worth of data to another machine =>5. reformat/reinstall =>6. create new home dirs =>7. rsync the data back - do a recursive chown/chmod =>8. run rkhunter => =>Any thoughts on this plan of attack are welcome. => =>And of course the moral of all of this is UPDATE and DON'T RUN =>UNNEEDED WEB SERVICES. This happened on a FC2 server (I know ;) ), =>and possibly via the SWAT or phpMyAdmin web interfaces. I read this thread and I have a question on why this problem is not handled in a more direct approach instead of the blood&guts reload approach: If you simply reinstall the rpm package (something like) rpm --replacepkgs -vh rpm-4.4.1-22.i386.rpm then you know that the binaries are good. From there all you have to do is rpm -Va and then look at what problems come out. It shouldn't take long. Use the force Luke! -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
