[BlueOnyx:06090] Re: cant run any commands on one of our BlueOnyxboxes

Chuck Tetlow chuck at tetlow.net
Sun Dec 12 14:03:50 -05 2010 

I completely agree with Chris - the backdoor that was used to gain access in the first place may still be there.  Plus, any rootkits installed are still there.  THAT is a dangerous situation.

I'd recommend keeping that box off-line while you do cmuExports of all sites.  Build a new box and cumImport them all into that new box.  Before you import - make sure that the new box is fully up-to-date to minimize vulnerabilities. 

And after importing everything/getting it working - make a complete box backup before putting it back on line.  That way, you've got a emergency restore in case it happens again.  After all - the vulnerability/exploit may have been in something in one of those sites.  And as soon as you put it back on line - this could happen again.

I'd wait till after I got the box and sites back up - but you need to carefully check the logs to see if you can spot how this happened.  If not - you're just putting that rebuilt box out there and crossing your fingers that it doesn't happen again.

Chuck

---------- Original Message -----------
From: Chris Gebhardt - VIRTBIZ Internet <cobaltfacts at virtbiz.com> 
To: BlueOnyx General Mailing List <blueonyx at blueonyx.it> 
Sent: Sun, 12 Dec 2010 12:48:10 -0600 
Subject: [BlueOnyx:06089] Re: cant run any commands on one of     our     BlueOnyxboxes

> Peter Robbins - Bridgewater Software Group wrote: 
> > Not bad for 16 hours continuous work all through the night and next 
> > day.  Iam off to bed now. 
> 
> So if I understand correctly, you loaded in a new /lib and /usr/lib onto 
> the broken box (or virtual, as the case may be), then put it right back 
> to work? 
> 
> If I haven't missed something that sounds fairly dangerous, especially 
> if you've not located what caused the issue in the first place.  I hope 
> you're not in for another round of this. 
> 
> -- 
> Chris Gebhardt 
> VIRTBIZ Internet Services 
> Access, Web Hosting, Colocation, Dedicated 
> www.virtbiz.com | toll-free (866) 4 VIRTBIZ 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at blueonyx.it 
> http://www.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20101212/5c06e392/attachment.html>

More information about the Blueonyx mailing list