<html><body bgcolor="#FFFFFF"><div>Yes you are both right.</div><div><br></div><div>I have just finished the imports To the new vm machine</div><div><br></div><div>One should never under estimate the ingenuity of hackers and script kiddies</div><div><br></div><div>I speak from experience. </div><div><br></div><div>We couldn't leave the machine as it was, in a perceived compromised position. So in has been cmuExport'ed<br><br></div><div>I will look through the logs see If I can see a problem and then delete the original vm machine.</div><div><br></div><div>Thanks to all for your help!</div><div><br>Sent from my iPhone</div><div><br>On 12 Dec 2010, at 19:03, "Chuck Tetlow" <<a href="mailto:chuck@tetlow.net">chuck@tetlow.net</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div>
I completely agree with Chris - the backdoor that was used to gain access in the first place may still be there. Plus, any rootkits installed are still there. THAT is a dangerous situation.
<br>
<br>I'd recommend keeping that box off-line while you do cmuExports of all sites. Build a new box and cumImport them all into that new box. Before you import - make sure that the new box is fully up-to-date to minimize vulnerabilities.
<br>
<br>And after importing everything/getting it working - make a complete box backup before putting it back on line. That way, you've got a emergency restore in case it happens again. After all - the vulnerability/exploit may have been in something in one of those sites. And as soon as you put it back on line - this could happen again.
<br>
<br>I'd wait till after I got the box and sites back up - but you need to carefully check the logs to see if you can spot how this happened. If not - you're just putting that rebuilt box out there and crossing your fingers that it doesn't happen again.
<br>
<br>
<br>
<br>Chuck
<br>
<br><font size="2">
<br><b>---------- Original Message
-----------</b>
<br>
From: Chris Gebhardt - VIRTBIZ Internet <<a href="mailto:cobaltfacts@virtbiz.com">cobaltfacts@virtbiz.com</a>>
<br>
To: BlueOnyx General Mailing List <<a href="mailto:blueonyx@blueonyx.it">blueonyx@blueonyx.it</a>>
<br>
Sent: Sun, 12 Dec 2010 12:48:10 -0600
<br>
Subject: [BlueOnyx:06089] Re: cant run any commands on one of
our BlueOnyxboxes
<br>
<br>> Peter Robbins - Bridgewater Software Group wrote:
<br>>
> Not bad for 16 hours continuous work all through the night and next
<br>>
> day. Iam off to bed now.
<br>>
<br>>
So if I understand correctly, you loaded in a new /lib and /usr/lib onto
<br>>
the broken box (or virtual, as the case may be), then put it right back
<br>>
to work?
<br>>
<br>>
If I haven't missed something that sounds fairly dangerous, especially
<br>>
if you've not located what caused the issue in the first place. I hope
<br>>
you're not in for another round of this.
<br>>
<br>>
--
<br>>
Chris Gebhardt
<br>>
VIRTBIZ Internet Services
<br>>
Access, Web Hosting, Colocation, Dedicated
<br>>
<a target="_blank" href="http://www.virtbiz.com/"><a href="http://www.virtbiz.com">www.virtbiz.com</a></a> | toll-free
(866) 4 VIRTBIZ
<br>>
_______________________________________________
<br>>
Blueonyx mailing list
<br>>
<a href="mailto:Blueonyx@blueonyx.it">Blueonyx@blueonyx.it</a>
<br>>
<a target="_blank" href="http://www.blueonyx.it/mailman/listinfo/blueonyx"><a href="http://www.blueonyx.it/mailman/listinfo/blueonyx">http://www.blueonyx.it/mailman/listinfo/blueonyx</a></a>
<br><b>------- End of Original Message
-------</b>
<br>
</font>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Blueonyx mailing list</span><br><span><a href="mailto:Blueonyx@blueonyx.it">Blueonyx@blueonyx.it</a></span><br><span><a href="http://www.blueonyx.it/mailman/listinfo/blueonyx">http://www.blueonyx.it/mailman/listinfo/blueonyx</a></span><br></div></blockquote></body></html>