Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Unable To Load After Hack...
Spydr
post Sep 15 2003, 10:45 PM
Post #1


Whats this Lie-nix Thing?
*

Group: Members
Posts: 1
Joined: 15-September 03
Member No.: 1,450



Please bear with me while I fill in the background...

I noticed our web (RH7.2) server was generating quite a bit of traffic and started to investigate. I found it had been compromised via a LKM hack and a rootkit had been installed. Obviously no longer being able to trust the installed drive I installed RH9 on a spare drive and attempted to boot using this then mounting the 7.2 so I could do further investigation. The problem is that no matter how I try the 7.2 install boots and it is driving me bananas !

I have tried combinations of master/slave, IDE0 and IDE 1 (combinations of both - drives are a couple of Segate ATA's), I have tried grub and lilo loaders but anthough they "boot" off the RH9 install the kernal loaded is the 7.2. I think that maybe the rootkit may have played havok with the system but I don't understand how it could do this.

My final straw (not sure of my methodology here) was to rename the /boot on the 7.2 but hey presto it still loads.

Appreciate any help on this....

Thanks.
Go to the top of the page
 
+Quote Post
Corey
post Sep 16 2003, 12:07 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 1,254
Joined: 21-September 02
From: St John's, Newfoundland, Canada
Member No.: 3



Create a bootdisk using the kernel from the RH9 install with the root partition being set on the command line (man mkboot). You may need to boot into your 7.2 install and mount the rh9 partition to grab the kernel image, or you can use a live distro cd like knoppix (which i find very helpful). After you make the bootdisk with the rh9 image and pointing to the rh9 root partition, reboot the system and boot off the disk. Then from the rh9 you can do your work.


--------------------
Corey Quilliam
(former) Linuxhelp.ca Administrator
cquilliam-AT-gmail-dot-com

Want to help out Linuxhelp.net? Check out our Linuxhelp Wiki and see if there are some articles you would like to submit!!

--
Ubuntu 8.04 64-bit - Work Laptop (HP-Compaq NC6400 Core2)
Kubuntu 8.04 64-bit - Desktop (HP m8120n QuadCore)
Ubuntu 6.04 - Server (I'm not upgrading this baby until support runs out in 2012) (Some old POS dell)
Go to the top of the page
 
+Quote Post
hughesjr
post Sep 17 2003, 01:14 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I would actually recommend that you create a redhat 9.0 disc and make it hda and boot of knoppix cd (so the kernel can't be infected) and manually mount both the rh9 and rh7 discs and copy only the files you need from rh7 to rh9.

then remove the rh7 drive and scan the rh9 drive after booting for the root kit. There are worms that will add modules to the /lib/modules directory....


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 14th December 2017 - 12:11 PM