Help - Search - Members - Calendar
Full Version: Unable To Load After Hack...
Linuxhelp > Support > Technical Support
Spydr
Please bear with me while I fill in the background...

I noticed our web (RH7.2) server was generating quite a bit of traffic and started to investigate. I found it had been compromised via a LKM hack and a rootkit had been installed. Obviously no longer being able to trust the installed drive I installed RH9 on a spare drive and attempted to boot using this then mounting the 7.2 so I could do further investigation. The problem is that no matter how I try the 7.2 install boots and it is driving me bananas !

I have tried combinations of master/slave, IDE0 and IDE 1 (combinations of both - drives are a couple of Segate ATA's), I have tried grub and lilo loaders but anthough they "boot" off the RH9 install the kernal loaded is the 7.2. I think that maybe the rootkit may have played havok with the system but I don't understand how it could do this.

My final straw (not sure of my methodology here) was to rename the /boot on the 7.2 but hey presto it still loads.

Appreciate any help on this....

Thanks.
Corey
Create a bootdisk using the kernel from the RH9 install with the root partition being set on the command line (man mkboot). You may need to boot into your 7.2 install and mount the rh9 partition to grab the kernel image, or you can use a live distro cd like knoppix (which i find very helpful). After you make the bootdisk with the rh9 image and pointing to the rh9 root partition, reboot the system and boot off the disk. Then from the rh9 you can do your work.
hughesjr
I would actually recommend that you create a redhat 9.0 disc and make it hda and boot of knoppix cd (so the kernel can't be infected) and manually mount both the rh9 and rh7 discs and copy only the files you need from rh7 to rh9.

then remove the rh7 drive and scan the rh9 drive after booting for the root kit. There are worms that will add modules to the /lib/modules directory....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.