compromised Linux box

Ryan Simpkins plug at
Thu Apr 12 15:26:16 MDT 2007

Sorry for the self reply - but I forgot something.

ALWAYS find out how they got in BEFORE you stop processes, wipe the system, and
restore your backup. You'll just get compromised again. Use lsof, and /proc/<pid of
offending process>/env to look for clues regarding how they got in. You can also try
sending rootkit daemons SIGSTOP to freeze the process while you examine it.

Don't wipe until you know for sure how they got in, or until you just can't take the
risk of leaving it up any more.

Often rootkits will delete their files, so when you kill the process the link count
goes to zero and bye-bye access to their stuff. So if you are already compromised,
take the time to learn how they did it so you can fix it.

Sometimes you can't tell. In those cases you can almost count on a recurrence if you
make no changes to the system/software/architecture. Backup the logs and any
processes they have before rebuilding the system.


More information about the PLUG mailing list