[CentOS] Is there a Centos 3 around ?
Benjamin Smith
lists at benjamindsmith.com
Mon Feb 7 23:27:36 UTC 2011
On Monday, February 07, 2011 10:21:18 am Nicolas Ross wrote:
> mds5um has been tempered with also... It return those expected values, but
> a md5sum programm I took elsewhere was returning another value...
Once you've been hacked, you can't trust the core utilities (ls /
md5sum/cd/etc) You can't trust the kernel interfaces that these core utilities
use, nor can you reliably remove the kernel modules used to interfere with
normal operations, since the interfaces within the kernel may themselves be
cloaking the hackinstall kernel modules!
The only way to deal with this scenario and get anything resembling a correct
answer is to mount the drive in userspace, noexec on another, trusted system.
If downtime is a concern you *might* be able to use dd and copy the disk
partition to another drive in the middle of the night and then check out the
drive offline - that would probably work fine.
But realize that until you do this, you can have no trust whatsoever in that
computer, change passwords, delete/change private SSH keys, etc. and anything
you do from here on out will be forensics to:
A) Determine just how far they got in (did they get access to other systems?)
B) Figure out how to best transfer services to a new, updated system and
update security so that the bad guys can't just walk back in with prior
knowledge.
BTW: you should basically NEVER run an EOL'd system, regardless of the O/S. An
unpatched server is a pretty much a guaranteed hack incident waiting to
happen.
Good luck!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list