Re: possible rooted systems

[Alvin Oga <alvin.sec () Virtual Linux-Consulting com>]

hi ya

> Not to be a stickler for details and hopefully you are already
> planning this, but the infected machines should be re-imaged, not
> fixed.  Other wise you leave yourself open to missing backdoors and

re=imaging will NOT solve the problem, since the attacker cna
come back in using the same exploit that they already know worked
on your box
        - you have to fix the hole that they used to get in
        ===================================================
                next time they are very likely to do an "rm -rf /"
                and hopefully you don't use automount in an unsafe way

a better approach ... 
        --
        == backup all your data (not system) to a new disk on a  new machine
        -- leave your old backups intact forever ..
        --

        - find out how they got in
        - find out when they got in
        - find out who they are
        - find out what machines they came from and get the other hack'd
          machine owner and isp's help to "get the attacker"
        - find out what commands they typed
        - find out what other machines they tried to attack/connect to
        - find out what files they modified
        - contact the local police dept and FBI ( if over $15K? in damages )

        - hire somebody to do all that for you 


> An easy solution that I use is to have a USB Drive arround that has
> all the images I need on it.  When a machnie hiccups, I can back it up
> to the USB Drive using a ghost boot disk with dos USB drivers, and
> than plant a new image over the top.

the "master image" should be cdrom or non-writeable device 
since you are pluygging your "master image" into a hacked box
and by your own definition, you dont know that your usb disk is safe after that
( unknown back door, unknown virus, etc.. etc.. )

c ya
alvin