Re: Ack! I've been rooted...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2 Feb 2007, Aaron Konstam wrote:

On Thu, 2007-02-01 at 18:42 -0600, Chris Mohler wrote:
You can skip steps 1 through 3.
Backup all data that you know for certain is still safe, wipe the disk entirely,
and do a clean reinstall. If the box was rooted, there is no way to determine
the extent of the intrusion, and therefore any attempts to replace solely the
compromised aspects of the system would be irrelevant.
--

Will rsync operate without cp, ls, etc?

Chris

what does rsync have to do with ls or cp? Or am I missing something

Most rootkits replace ls and cp in order to make the other peieces "invisible".

Don't use rsync to try and fix the problem. That is just going to make a big mess and it will not remove the problem.

If they have rooted your system, there is at least one backdoor installed. (Probably more.) You also have to look at all of the accounts installed, the kernel modules loaded, the processes running, etc. The current rootkits install crap all over the place. Unless you have a very small install and a LOT of time, you are not going to find them all.

Wipe the disc and reinstall.

--
"Invoking the supernatural can explain anything, and hence explains nothing."
                  - University of Utah bioengineering professor Gregory Clark


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux