You need to worry about the mbr (Master Boot Record) as well as the disk partitions.
Keep in mind no malware (virus, etc.) does anything on it's own - your CPU must be tricked into running it. Just 'cause there's a sequence of bytes some where on the disk doesn't mean your system's at risk - it must be in the file system so that it can be loaded into memory by your OS and the CPU's nose must be pointed at it and told to run it. I've had circumstances where using fdisk to kill, and then recreate partitions allowed me to recover files afterward, but recovery tools bypass the directory listings. Otherwise, if you initialize a partition, there's no way for the OS to find the files, load the byte sequences, etc., 'cause the facilities the OS uses read the directory listing to find the files, which the directory listing says aren't there... There are secure wiping tools for spy situations (industrial espionage, MI5, etc) that overwipe a disk so it can't be read forensically in a lab, but you probably don't need that - again unless you have a file your OS can read there isn't any way to point your CPU's nose at it to tell it to run the malware, which is the only way the malware can have any effect (other than taking up disk space, maybe). dd if=/dev/zero of=/dev/hda bs=512 will put zeros all through a drive (I think - I haven't tried it), but you'll have to be running from another disk to do this (the dd program comes from somewhere). I use Tom's rootboot disk for maintenance, and it's write protected. I'd just remake the partitions (from a secure starting disk) and initialize them, and re-write the mbr. If you connect to the net before you've hardened your system you can't trust it. So it helps to have local CDs from images you've checked the md5 signature of...etc. Buying official CDs is probably ok. A DOS/Windows fdisk /mbr will overwrite the mbr (assuming your DOS/Windows disk is not infected, of course). It's a bit Machiavellian, eh? Cheers, Bret On Tue, 2003-07-22 at 01:44, Dan Banyard wrote: > Hi, > > Recently my linux box was hacked. I re-installed the OS but I am still > having problems with the machine. At this stage I am unsure whether these > problems are due a hardware or software issue. > > I would like to totally wipe the hard disk and start again just in case the > hackers have left any files. There seems to be loads of disk wiping > utilities for Windows but I cannot see a way in which I can totally wipe the > disk. Does anyone know of a utility or command? > > Also does anyone know of a hardware checking facility? I am using SuSE 7.2. > I am getting to the stage when I am considering junking the whole machine, > but this seems a real waste. Comments from anyone who has been hacked on > what they did? > > Thanks in advance. > > Dan -- bwaldow at alum.mit.edu -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
