On Saturday 21 June 2003 04:51 pm, T. Ribbrock wrote: > On Fri, Jun 20, 2003 at 05:38:38PM -0400, Reuben D. Budiardja wrote: > > I am working to recover a server that's been hacked. The chkrootkit > > tool shows that some binary (eg 'ls', 'ps', 'top') has been changed > > (infected) by the hacker. > > [...] > > > So, basically my question is, how do I remove those files ? or why can't > > I remove it, eventhough I am root ? I tried to boot as single user and it > > didn't help either. > > [...] > > Very simple: Backup all personal data, reformat the drive and reinstall. > For the best of my knowledge, that's the only reliable recovery from a > hacked box.
I understand that. But it's not that simple in this case as we can't afford anymore down time. It's a production server, and no, we don't have a backup server yet. Someone else had managed the server before. So the boss said get it back online ASAP and that what I was trying to do. I still recommend that at some point in the near future we do re-install the whole thing, and really suggesting that we use RHEL ES when we do that. Thanks though. RDB -- Reuben D. Budiardja -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
