Re: Ack! I've been rooted...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Mohler wrote:
> Well, through no one's fault but my own our file server has been
> compromised.
> 
> It looks like the SHV5 kit.  I plan a reformat/reinstall tomorrow and
> I was wondering if anyone had advice.  I discovered that some of the
> coreutils had been replaced with compromised versions, so I (stupidly)
> downloaded the coreutils RPM, then did 'rpm -ev coreutils' and tried
> 'rpm --Uvh coreutils'.  Should have researched that a bit, because (as
> root) I don't have permission to remove/rename the hacked binaries!
> Oops. For the time being, I've (physically) removed the server's
> network connection.
> 
> So - the plan:
> 1. telinit 1
> 2. try to reinstall coreutils
> 3. telinit 3
> 4. rsync the last week's worth of data to another machine
> 5. reformat/reinstall
> 6. create new home dirs
> 7. rsync the data back - do a recursive chown/chmod
> 8. run rkhunter
> 
> Any thoughts on this plan of attack are welcome.
> 
> And of course the moral of all of this is UPDATE and DON'T RUN
> UNNEEDED WEB SERVICES.  This happened on a FC2 server (I know ;) ),
> and possibly via the SWAT or phpMyAdmin web interfaces.


A simple question that no one else has asked. Did you have SELinux enabled?
What mode?

Perhaps, if you did, you should report this to the fedora-selinux list.


- --

  David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)

iD4DBQFFw3f7AO0wNI1X4QERAhxSAJ9b9i4C8652vznOXsKU3ZgGLwNmqACY6m6n
a0VjxmzoQtlQREk/kcMdXA==
=yLSW
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux