-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mohler wrote: > Well, through no one's fault but my own our file server has been > compromised. > > It looks like the SHV5 kit. I plan a reformat/reinstall tomorrow and > I was wondering if anyone had advice. I discovered that some of the > coreutils had been replaced with compromised versions, so I (stupidly) > downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried > 'rpm --Uvh coreutils'. Should have researched that a bit, because (as > root) I don't have permission to remove/rename the hacked binaries! > Oops. For the time being, I've (physically) removed the server's > network connection. > > So - the plan: > 1. telinit 1 > 2. try to reinstall coreutils > 3. telinit 3 > 4. rsync the last week's worth of data to another machine > 5. reformat/reinstall > 6. create new home dirs > 7. rsync the data back - do a recursive chown/chmod > 8. run rkhunter > > Any thoughts on this plan of attack are welcome. > > And of course the moral of all of this is UPDATE and DON'T RUN > UNNEEDED WEB SERVICES. This happened on a FC2 server (I know ;) ), > and possibly via the SWAT or phpMyAdmin web interfaces. A simple question that no one else has asked. Did you have SELinux enabled? What mode? Perhaps, if you did, you should report this to the fedora-selinux list. - -- David -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD4DBQFFw3f7AO0wNI1X4QERAhxSAJ9b9i4C8652vznOXsKU3ZgGLwNmqACY6m6n a0VjxmzoQtlQREk/kcMdXA== =yLSW -----END PGP SIGNATURE-----
