[CentOS] I've been hacked -- what should I do next?

Fri Dec 1 13:12:10 UTC 2006

Alfred von Campe wrote:

> Anyone recognize this root kit (if that is what it is)?  I've disabled
> the backup account, and re-enabled port forwarding on my router (so I
> can access the system from home).  Other than deleting these files, is
> there anything else I should worry about?  I'd rather not re-install the
> OS...

My advice is to reinstall too.  Cleaning compromised machine is error
prone job.  Especially if that is something you have never done before.

Have you been running anything like Tripwire on that box?  Without it
(or somethine similar), and without its database that was stored off the
machine or on read-only media (CD/DVD) I'd be very reluctant to even
attempt cleaning the machine.

Anyhow, if you decide to proceed with cleaning attempt (and not
reinstall), boot from into the rescue mode from installation CD.  That
way you'll be using clean kernel and binaries to examine the system.  Do
not chroot into compromised file systems, since this could simply
trigger loading of rootkit (and than you won't see anything).

If you haven't been running tools like Tripwire, you could make fresh
installation on some spare system, undo prelink stuff on both machines
(prelink changes your binary files), create database on clean system,
copy it to the compromised system and run check.  This should find all
changed, added and removed files (if you do it properly), as long as you
run it from rescue mode.

The rpm in verify mode will find changed files, however it will not find
changes in configuration files.  It also won't be able to find added
files (for example kernel modules that are supposed to hide files from
you and tools such as rpm and/or tripwire).  But it might be good start.
 Again, run rpm from rescue mode, and do not chroot.  You don't want to
use (potentially modified) rpm from the file system, you want to use
clean rpm binary from installation media (it has couple of options to
point it to where the root file system is mounted).

You could also try to remove all kernels, than manually remove kernel
directories in /lib/modules, and reinstall kernel (again from rescue
mode, and avoid chrooting if possible).  This should get rid of
additional kernel modules that were part of rootkit.

There's plethora of other stuff to do or try.  But even if I went along
and made this posting 10 times longer than it already is, you wouldn't
be 100% sure you cleaned the machine.  Again, reinstall is really your
best friend here.  You'll probably spend way more time attempting to
clean up, than if you were simply to reinstall and restore data (and
only data, not config files or anything else, and watch for config files
that might be part of data) from backup.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20061201/5975a0f3/attachment.sig>