Jason Lim:> Hi Russell, > > Well, SE Linux certainly seems like something that needs to > be installed. > Most annoying is that all the recent security updates were > already done! > > The user CGIs run as the user's UID... suexec. Consider to chroot apache, and keep available binaries to a minimum. > > > Re-installing from scratch would be a real pain... the server > runs on a > 3ware array, and has hundreds of users, all active :-/ IMHO there's only one save way to go after being hacked: reinstall. While you are re-installing (on another machine), limit the traffic to this machine to port 80 only, and either do web site updates yourself and/or refuse them totally until you have a replacement up and running. > > Is there any way to verify the Integrity of the files somehow, and > download/re-install any binaries that do not match the checksums or > something? Does dpkg or some other Debian tool have this ability? Dunno - rpm has the option of checking md5 sums, but the dpkg manpage isn't promising in this regard. > > If just a list of packages could be shown that do not match what is > actually on the disk, those could be re-downloaded and > re-installed, so at > least the system can start working (right now, just typing > "gcc" produces > garbage on the screen, no doubt because some libraries have been > replaced). Check the packages that get installed in debootstrap (perhaps you could just exactly do that in a sperate tree/partition), and download and install them manually. This should get at least login, libc et al overwritten with proper binaries. If you choose to run debootstrap on a sperate partition (or machine), you may have to write a little script to gather md5sums for the fresh install, and compare to the hosed machine. > > Is there any tool that could search the system for root suid > scripts (so > the hacker can login again and gain root easily)?
chkrootkit. Get it from http://www.chkrootkit.org/ Thomas