We have a remote Debian box that was root-kitted.

Is there anyway to remotely rebuild the base install with apt (and NOT use the packages in the archive directory)?

The kit has killed rm, ping and apache (and probably many more commands/apps).

First you'd need to figure out how the rootkit entered your box. But the only way to be completely secure is a full re-install using trusted sources. That can't be done remotely I'm afraid, as the base install (net-cd) doesn't give you that option (no ssh or other remote access tools installed by default. Besides, you'd have to reboot anyway...)

Nope. Get there physically and reinstall from scratch.

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

I recommend a fresh install. Been there, and there are too many possibilities of hacks, holes etc that you won't be able to find and could be anywhere on the server. Plus your putting yourself at greater risk if they trash your stuff any more.

It depends but it is possible :

1. someone should be on site: to enter CD, choose advance installation, and then is option to continue installation using SSH---on site guy do that, send you username/password ( which are showed on screen ) and ip address...log in to machine and that is all

Link ; http://princessleia.com/journal/?p=1357


2. In case you have HP server, some G5 model then ( except some models of 100x series which has not iLO port ) you should have iLO interface...Somone connect you machine to net, in bios set up password for administarator ( or read one which sticked on server ) and you log in,mount your local CD from your laptop, and that is

I am just wondering what you have installed, which debian, which applications, it is unusual for debian server to be rootkit infected,it is possible, but debian is very good OS.
Pay attention on software you install, and how has access to system.

RE

This has nothing to do with Debian but with setup, configuration, maintenance and auditing.

In general anyone suggesting a fresh install without post-mortem is looking in the wrong direction.

My first suggestion is to get a clean dd of the entire drive to perform forensics on or you're just going to have another break in... you *need* to know how they got access.

You can do a apt-get clean && apt-get autoclean to wipe out the stuff in the local archive... then you could force a reinstall of each package... but personally I think you'd be far far far further ahead to do a clean reinstall... you can never really trust that server again until you do.

You could install a copy of what you need locally and rsync it over or you could force apt to reinstall packages it already has installed...

Dell, HP, IBM, etc... almost all have some kind of remote access card, you might wanna see if your server has one.