In the amount of time you've already spent doing this, you could have: 1) purchased a new hard drive and installed it as the primary 2) moved the current hard drive to the secondary on the chain (ide or scsi) 3) re-installed the OS 4) mounted the old drive somewhere on the filesystem (/mnt/old) 5) moved over any known good data.
Been there, done that. Trust me, in the end, it's MUCH faster. ----- Original Message ----- From: "Reuben D. Budiardja" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 21, 2003 4:12 PM Subject: Re: Root can't delete some files in /bin > On Saturday 21 June 2003 04:51 pm, T. Ribbrock wrote: > > On Fri, Jun 20, 2003 at 05:38:38PM -0400, Reuben D. Budiardja wrote: > > > I am working to recover a server that's been hacked. The chkrootkit > > > tool shows that some binary (eg 'ls', 'ps', 'top') has been changed > > > (infected) by the hacker. > > > > [...] > > > > > So, basically my question is, how do I remove those files ? or why can't > > > I remove it, eventhough I am root ? I tried to boot as single user and it > > > didn't help either. > > > > [...] > > > > Very simple: Backup all personal data, reformat the drive and reinstall. > > For the best of my knowledge, that's the only reliable recovery from a > > hacked box. > > I understand that. But it's not that simple in this case as we can't afford > anymore down time. It's a production server, and no, we don't have a backup > server yet. Someone else had managed the server before. So the boss said get > it back online ASAP and that what I was trying to do. > I still recommend that at some point in the near future we do re-install the > whole thing, and really suggesting that we use RHEL ES when we do that. > > Thanks though. > > RDB > -- > Reuben D. Budiardja > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list