Too Busy For Words - the PaulWay Blog

Shortly after I got into to work this morning, I found out that one of the lab machines I administer (running FC4) has been rootkitted. Damn. I feel incredibly guilty for this, as if I've done something personally wrong by not examining the admin logs every day, as if that could prevent such a thing occurring. Fortunately, Fedora Core 5 has recently been released, so I can do my trick from last time - boot up off the network install disk and install from the ISO images through NFS back to the server. I go to work out whether everything has been backed up on the troubled machine, and it's got a screen saver lock. I say to the user, "Can you type in your password?" and he says "Oh, it's just the same as my username."

Oh dear.

Fortunately he hasn't used the same password elsewhere, so my main server and the dual-core Intel machine are still intact. As far as I and chkrootkit can tell.

I'm still going to be upgrading my server by blowing everything away and restoring, to finally blow away the lingering cobwebs of my problems with development and atrpms repositories that I had when I installed this thing when Fedora Core 2 was just out... My plan is to use dar to back up everything with the permissions intact, and then restore selectively from there using dar-static from the archive disk (a 250GB USB drive). Or at least, that's the plan once I've finished editing the paper I've got to finish.