Hi,
there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another.
There are backups of necessary shell script, ASCII configuration files and more or less important email (maildir format, if it matters) including messages with binary attachments in .doc, .pdf, .jpeg and other formats. What is, in the context above, the best way to make sure that **those** backed up files (which _must_ be put back on the server after reinstall) do not contain any rootkit, troian, virus, whatever? Which Centos / linux tool you'd recommend for this specific case?
TIA, Marco
M. Fioretti wrote:
Hi,
there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another.
I use rkhunter and chkrootkit. I run them regularly.
If you keep your machine clean, then your backups will be, too.
If you get compromised, then your backups since compromise are suspect.
Mike
Mike McCarty wrote:
M. Fioretti wrote:
Hi,
there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another.
I use rkhunter and chkrootkit. I run them regularly.
If you keep your machine clean, then your backups will be, too.
If you get compromised, then your backups since compromise are suspect.
Mike
When I tried yum -y install chkrootkit.i386 I got... No package chkrootkit.i386 available.
When I tried yum -y install rkhunter.noarch I got... No package rkhunter.noarch available.
These were the two names mentioned on my yum list, so I updated my yum list (yum -y list > yum.list), and I find that neither is present anymore.
Regards, Chip Campbell
Charles E Campbell Jr wrote: ...
These were the two names mentioned on my yum list, so I updated my yum list (yum -y list > yum.list), and I find that neither is present anymore.
Both are in the EPEL repository.
Mogens
Mogens Kjaer wrote:
Charles E Campbell Jr wrote: ...
These were the two names mentioned on my yum list, so I updated my yum list (yum -y list > yum.list), and I find that neither is present anymore.
Both are in the EPEL repository.
Mogens
OK -- I "followed directions" as given by:
http://fedoraproject.org/wiki/EPEL/FAQ#How_can_I_install_the_packages_from_t...
and got:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release Retrieving http://download.fedora.redhat.com/pub/epel/5/i386/epel-release error: skipping http://download.fedora.redhat.com/pub/epel/5/i386/epel-release - transfer failed - Unknown or unexpected error warning: u 0x1fe50070 ctrl 0x1fe54370 nrefs != 0 (download.fedora.redhat.com http)
Seems I need some more hints!
Thank you, Chip Campbell
On Sep 4, 2008, at 11:05 AM, Charles Campbell wrote:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel- release Retrieving http://download.fedora.redhat.com/pub/epel/5/i386/epel-release error: skipping http://download.fedora.redhat.com/pub/epel/5/i386/epel-release
- transfer failed - Unknown or unexpected error
warning: u 0x1fe50070 ctrl 0x1fe54370 nrefs != 0 (download.fedora.redhat.com http)
Seems I need some more hints!
the url you are using for the epel-release package is incorrect. CentOS-oriented documentation is here:
http://wiki.centos.org/AdditionalResources/Repositories?highlight=(epel)
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
Steve Huff wrote:
On Sep 4, 2008, at 11:05 AM, Charles Campbell wrote:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release Retrieving http://download.fedora.redhat.com/pub/epel/5/i386/epel-release error: skipping http://download.fedora.redhat.com/pub/epel/5/i386/epel-release - transfer failed - Unknown or unexpected error warning: u 0x1fe50070 ctrl 0x1fe54370 nrefs != 0 (download.fedora.redhat.com http)
Seems I need some more hints!
the url you are using for the epel-release package is incorrect. CentOS-oriented documentation is here:
http://wiki.centos.org/AdditionalResources/Repositories?highlight=(epel)
Thank you -- I'll try this again when I have time.
Regards, Chip Campbell
Charles Campbell wrote:
Mogens Kjaer wrote:
Charles E Campbell Jr wrote: ...
These were the two names mentioned on my yum list, so I updated my yum list (yum -y list > yum.list), and I find that neither is present anymore.
Both are in the EPEL repository.
OK -- I "followed directions" as given by:
<snip>
Seems I need some more hints!
If rpmforge is already configured for you, it might be simpler to get them from there
On Thu, Sep 04, 2008 01:15:41 AM -0500, Mike McCarty wrote:
M. Fioretti wrote:
Hi,
there is a remote (VPS) Centos 4.2 server which *may* have been compromised. Reinstalling everything from scratch isn't a problem, it may even be an occasion to improve a few things, the question is another.
I use rkhunter and chkrootkit. I run them regularly.
Thanks (even if late!) for the suggestions, I've applied them.
Marco
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
;-P
Scott Silva wrote:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
I think that's what he meant. He put the "even if late" right after the "thanks", indicating that's what was late, the "thanks".
Mike
On Tue, Sep 16, 2008 14:23:30 PM -0500, Mike McCarty wrote:
Scott Silva wrote:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
I think that's what he meant. He put the "even if late" right after the "thanks", indicating that's what was late, the "thanks".
absolutely yes, I was sorry for not saying thanks earlier due to my own schedule, nothing else. Sorry to have started such a discussion.
Marco
On Wed, 2008-09-17 at 09:02 +0200, M. Fioretti wrote:
On Tue, Sep 16, 2008 14:23:30 PM -0500, Mike McCarty wrote:
Scott Silva wrote:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
I think that's what he meant. He put the "even if late" right after the "thanks", indicating that's what was late, the "thanks".
absolutely yes, I was sorry for not saying thanks earlier due to my own schedule, nothing else. Sorry to have started such a discussion.
Marco, I know what you meant. Guys, Marco is one of the good ones. Ric
On Tue, 16 Sep 2008 12:08:46 -0700 Scott Silva ssilva@sgvwater.com took out a #2 pencil and scribbled:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
;-P
I think that's what he meant. At least that's what my reality distortion field says. =-P
on 9-16-2008 12:25 PM Alex spake the following:
On Tue, 16 Sep 2008 12:08:46 -0700 Scott Silva ssilva@sgvwater.com took out a #2 pencil and scribbled:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
;-P
I think that's what he meant. At least that's what my reality distortion field says. =-P
Sorry... Bad day ... Short fuse...
Insert virtual slappings below...
On Tue, 2008-09-16 at 13:04 -0700, Scott Silva wrote:
<snip>
Sorry... Bad day ... Short fuse...
Insert virtual slappings below...
<*thwup*><*thwup*><*thwup*><*thwup*><*thwup*>
Feather pillow used as slapper of choice!
<snip>
At 04:04 PM 9/16/2008, you wrote:
on 9-16-2008 12:25 PM Alex spake the following:
On Tue, 16 Sep 2008 12:08:46 -0700 Scott Silva ssilva@sgvwater.com took out a #2 pencil and scribbled:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
;-P
I think that's what he meant. At least that's what my reality distortion field says. =-P
Sorry... Bad day ... Short fuse...
Insert virtual slappings below...
Me too.. rough day, that is. Go home, have a ________ (insert your favorite beverage) and thank your ______ (insert higher-power) that things weren't worse!
That's my plan!
Cheers! Glenn
on 9-16-2008 1:40 PM Glenn spake the following:
At 04:04 PM 9/16/2008, you wrote:
on 9-16-2008 12:25 PM Alex spake the following:
On Tue, 16 Sep 2008 12:08:46 -0700 Scott Silva ssilva@sgvwater.com took out a #2 pencil and scribbled:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
;-P
I think that's what he meant. At least that's what my reality distortion field says. =-P
Sorry... Bad day ... Short fuse...
Insert virtual slappings below...
Me too.. rough day, that is. Go home, have a ________ (insert your favorite beverage) and thank your ______ (insert higher-power) that things weren't worse!
That's my plan!
Cheers! Glenn
I'll drink to that!!!!
Cheers
On Tue, 2008-09-16 at 14:25 -0500, Alex wrote:
On Tue, 16 Sep 2008 12:08:46 -0700 Scott Silva ssilva@sgvwater.com took out a #2 pencil and scribbled:
Thanks (even if late!) for the suggestions, I've applied them.
A reply in 3 days is late? That is good for a lot of lists. Your thank you almost 2 weeks later is what is late.
;-P
I think that's what he meant. At least that's what my reality distortion field says. =-P
A TinFoil update may be in order for all installees this coming month. Adjust it accordingly! :) Ric
-
Alex -
Charles Campbell -
Charles E Campbell Jr
-
Glenn -
M. Fioretti -
Mike McCarty -
Mogens Kjaer -
Nicolas Thierry-Mieg -
Ric Moore -
Scott Silva -
Steve Huff -
William L. Maltby