On Fri, 2 Feb 2007, Aaron Konstam wrote:
On Thu, 2007-02-01 at 18:42 -0600, Chris Mohler wrote:
You can skip steps 1 through 3.
Backup all data that you know for certain is still safe, wipe the disk entirely,
and do a clean reinstall. If the box was rooted, there is no way to determine
the extent of the intrusion, and therefore any attempts to replace solely the
compromised aspects of the system would be irrelevant.
--
Will rsync operate without cp, ls, etc?
Chris
what does rsync have to do with ls or cp? Or am I missing something
Most rootkits replace ls and cp in order to make the other peieces
"invisible".
Don't use rsync to try and fix the problem. That is just going to make a
big mess and it will not remove the problem.
If they have rooted your system, there is at least one backdoor installed.
(Probably more.) You also have to look at all of the accounts installed,
the kernel modules loaded, the processes running, etc. The current
rootkits install crap all over the place. Unless you have a very small
install and a LOT of time, you are not going to find them all.
Wipe the disc and reinstall.
--
"Invoking the supernatural can explain anything, and hence explains nothing."
- University of Utah bioengineering professor Gregory Clark
