System hanging at boot

bscott at ntisys.com bscott at ntisys.com
Fri May 30 18:55:06 EDT 2003


On 30 May 2003, at 6:29pm, cfarinella at appropriatesolutions.com wrote:
> I did that and found in /var/log/secure:
> 
> Accepted password from news from 212.66.37.242 port 3112 ssh2

  Urk.  Yeah, unless you're in the habbit of shelling in as user account
"news" from Austria, that is a pretty sure sign you've been compromised.

  At this point, best practice for speedy recovery is:
  1. Immediately shut down the system
  2. Remove disks
  3. Install disks as "secondary disks" in another, known-good system
  4. Copy any important data off (or copy everything, if you want to
     do forensic analysis later)
  5. Wipe disks clean
  6. Put disks back in original system
  7. Re-install from scratch
  8. After checking files from step #4 above for evidence of tampering,
     copy them back to the system.

  Good luck!

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |




More information about the gnhlug-discuss mailing list