[CentOS] Is there a Centos 3 around ?

Mon Feb 7 23:27:36 UTC 2011
Benjamin Smith <lists at benjamindsmith.com>

On Monday, February 07, 2011 10:21:18 am Nicolas Ross wrote:
> mds5um has been tempered with also... It return those expected values, but
> a  md5sum programm I took elsewhere was returning another value...

Once you've been hacked, you can't trust the core utilities (ls / 
md5sum/cd/etc) You can't trust the kernel interfaces that these core utilities 
use, nor can you reliably remove the kernel modules used to interfere with 
normal operations, since the interfaces within the kernel may themselves be 
cloaking the hackinstall kernel modules! 

The only way to deal with this scenario and get anything resembling a correct 
answer is to mount the drive in userspace, noexec on another, trusted system. 
If downtime is a concern you *might* be able to use dd and copy the disk 
partition to another drive in the middle of the night and then check out the 
drive offline - that would probably work fine. 

But realize that until you do this, you can have no trust whatsoever in that 
computer, change passwords, delete/change private SSH keys, etc. and anything 
you do from here on out will be forensics to: 

A) Determine just how far they got in (did they get access to other systems?) 

B) Figure out how to best transfer services to a new, updated system and 
update security so that the bad guys can't just walk back in with prior 

BTW: you should basically NEVER run an EOL'd system, regardless of the O/S. An 
unpatched server is a pretty much a guaranteed hack incident waiting to 

Good luck! 

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.