No please. There are better solutions than mkfs in most situations. Why
being so afraid about kernel modules and rootkit binaries? Boot from a CD
like knoppix or similar. Then mount all filesystems and examine the
system. First check whether your rpm database has been touched. A recent
backup may help here. Then rpm is your friend by finding out which files
have been modified. You can also find out which files have not been
installed via rpm so you can check them manually. After identifying the
affected files, replace them with clean ones. Finally, diffing the entire
system against backups may improve your confidence.
Now, it's time to fix the hole in your box before you put it into
production again!
Regards,
Simon
> oh please. if there are peices of rootkit on your box then whether
> they installed it or not is IRRELEVANT, your box was compromised,
> period.
>
> you cannot know what they did or did not do, your only responsible
> recourse is a complete mkfs of all filesystems (i would dd the entire
> disk with zeros) and a reinstall, then to audit your latest backup of
> user data (do NOT restore ANY binaries).
>
> they could have installed a kernel module which will alter the
> behavior of arbitrary tools WITHOUT replacing any binary on your
> system, which means tripwire and the most expensive `antivirus'
> software will NOT be able to help you. don't think that such a module
> will show up in lsmod output either, or that its file is visible to
> you on the filesystem.
>
> your box has been compromised, you need to rebuild it.
>
> --
> Ethan Benson
> http://www.alaska.net/~erbenson/
>
|