Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First you'd need to figure out how the rootkit entered your box. But the only way to be completely secure is a full re-install using trusted sources. That can't be done remotely I'm afraid, as the base install (net-cd) doesn't give you that option (no ssh or other remote access tools installed by default. Besides, you'd have to reboot anyway...)
I recommend a fresh install. Been there, and there are too many possibilities of hacks, holes etc that you won't be able to find and could be anywhere on the server. Plus your putting yourself at greater risk if they trash your stuff any more.
Is there anyway to remotely rebuild the base install with apt (and NOT use the packages in the archive directory)?
The kit has killed rm, ping and apache (and probably many more commands/apps).
It depends but it is possible :
1. someone should be on site: to enter CD, choose advance installation, and then is option to continue installation using SSH---on site guy do that, send you username/password ( which are showed on screen ) and ip address...log in to machine and that is all
2. In case you have HP server, some G5 model then ( except some models of 100x series which has not iLO port ) you should have iLO interface...Somone connect you machine to net, in bios set up password for administarator ( or read one which sticked on server ) and you log in,mount your local CD from your laptop, and that is
I am just wondering what you have installed, which debian, which applications, it is unusual for debian server to be rootkit infected,it is possible, but debian is very good OS.
Pay attention on software you install, and how has access to system.
Is there anyway to remotely rebuild the base install with apt (and NOT use the packages in the archive directory)?
The kit has killed rm, ping and apache (and probably many more commands/apps).
My first suggestion is to get a clean dd of the entire drive to perform forensics on or you're just going to have another break in... you *need* to know how they got access.
You can do a apt-get clean && apt-get autoclean to wipe out the stuff in the local archive... then you could force a reinstall of each package... but personally I think you'd be far far far further ahead to do a clean reinstall... you can never really trust that server again until you do.
You could install a copy of what you need locally and rsync it over or you could force apt to reinstall packages it already has installed...
Code:
for i in `dpkg -l | cut -f3 -d' '`; do apt-get --force-yes --reinstall install $i; done
Dell, HP, IBM, etc... almost all have some kind of remote access card, you might wanna see if your server has one.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.