-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I would rather (if it's ok for the server do be down for a while) unplug the internet cable and dd (and/or rsync) all the partitions before rebooting. A lot of information (including swap) is lost during reboot...
Best, Leonor Palmeira. On 08/02/12 14:50, Fernando Mercês wrote: > I recommend you boot with some live CD system and make a dump of each > partition, including swap, with dd. So you can analyze it after wipe > your system. > > This analysis will help you to discover how attacker have gained root > access, protect your actual system and feed community with real case > information. If you need help, please let me know. > > Best regards, > > Fernando Mercês > Linux Registered User #432779 > www.mentebinaria.com.br > softwarelivre-rj.org > @MenteBinaria > ------------------------------------ > II Hack'n Rio - 23 e 24/11 > hacknrio.org > ------------------------------------ > > > > On Wed, Feb 8, 2012 at 10:51 AM, Alexander Schreiber > <[email protected]> wrote: >> On Wed, Feb 08, 2012 at 11:53:14AM +0300, [email protected] wrote: >>> Today I found next things at squeeze. Please help to fix, I've no >>> experience in such tasks. >>> >>> # chkrootkit >>> ROOTDIR is `/' >>> Checking `ifconfig'... INFECTED >>> Checking `netstat'... INFECTED >> >> Don't even try to fix, with the system rooted you cannot trust it. >> The only safe course of action is to wipe the system and reinstall it. >> >> If you need the data on the machine and have no current backups, boot >> from a rescue CD (giving you a _clean_ environment) and copy the data >> off, then wipe & reinstall. >> >> Kind regards, >> Alex. >> -- >> "Opportunity is missed by most people because it is dressed in overalls and >> looks like work." -- Thomas A. Edison >> >> >> -- >> To UNSUBSCRIBE, email to [email protected] >> with a subject of "unsubscribe". Trouble? Contact [email protected] >> Archive: http://lists.debian.org/[email protected] >> > > - -- Leonor Palmeira, PhD Phone: +32 4 366 42 69 Email: mlpalmeira AT ulg DOT ac DOT be http://sites.google.com/site/leonorpalmeira Immunology-Vaccinology, Bat. B43b Faculty of Veterinary Medicine Boulevard de Colonster, 20 University of Liege, B-4000 Liege (Sart-Tilman) Belgium -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPMoF4AAoJEKquFGwgRb3zXEgIAIvbk4PP2bBH0V2SQTQc0MD2 C0YuVRbWU5DBCQZ83bIcOKDjxMnB4IMpZt3qIeih9pS1V/Ip/zCCL83rTWEieUOY k77nHns75cUjcf85krfTs0IcvW22D1UC6Fh63LSDKDQQ6HV5p4B3zFVl7zd9SWlz 9rvKjnfSvwJp1Xq0j0d0KpEZ3CAN7ltbJh/3G/ByAcQV1Z7FO0elbpHE0IbGDKnA ezVOG23ICzwfXH2SiPKp9kFxwgAPGTD1lnOr27oWQHlxPa7ccwQFWzbyL9kPm1zv J4eJ3tfuGI6Iv/dd/o8DW9xcYNw4FsXo61bfcrwlOrni0Tf4/ZPKytnwY6o9pII= =MUD3 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
