On Wed, Jul 30, 2014 at 4:27 AM, Nico Kadel-Garcia <nka...@gmail.com> wrote: > Once someone is in as root, they can manipulate your basic system > libraries, including the ones used to build checksums and audit for > intrusion. Take it offline and *replace* that OS, ASAP, and consider > any passwords used on it to have been compromised.
Thanks for mentioning this, my response was pretty vague. My recommendation (from an information security standpoint) was aimed at determining the root cause of the infection, including reconnecting it to a VERY isolated network with detailed host and network monitoring. If you have hundreds of similarly configured systems, you could have a very large problem soon on your hands. It is always a good idea to figure out how an attacker gained access to a system. Once "cleaned" (note the quotation marks), you can expect the system to get reinfected quickly because the botnet operators assume that you will restore from your last good backup, leaving the system in its vulnerable state once again, so an re-infection will occur easily in minutes. As Nico pointed out, the only solution for returning a system to production use is to perform a clean reinstall of the operating system with careful analysis of any files copied over to the freshly installed system. Since any passwords on that system may have been compromised, you need to change passwords including the root password on all impacted systems that share credentials. Since that means they may have gained access to additional systems, this would be a good time to look into setting up file integrity monitoring and detailed remote logging. Brandon Vincent