disaster recovery after rootkit -> MySQL and user accounts

Dave [Hawk-Systems] dave at hawk-systems.com
Wed Apr 23 13:14:55 PDT 2003

the new server is FreeBSD and this is an ISP hosting environment...  other than
that it doesn't really fit this group, but figured would have a good chance of
hitting someone in here with some pearls of wisdom.

Recently inherited a Debian Linux box from a small ISP.  While it was scheduled
to transfer everything over to our chosen platform (FreeBSD) we notices some
peculiarities.  Evidently one of the previous "sysadmins" had given out his
login information to allow people to fix their own problems.  Sure enough, check
the server and somone had installed a root kit, dont' a poor job, and now the
box was melting down.

The end result is managed to tar up user web directories, passwd files, etc...
and get most of the information off of it.  Two major hurdles remain.

1) Mysql won't start due to all the corrupted libraries.  While I can copy all
the data files from the data directory,  not sure how or if we could import all
this back into mysql on the new server and still have mysql user/password and
permissions still in place (there are about 30 databases)

2) to recreate all the user FTP accounts, we are looking to import the
passwd/shadow/group files.  We will be editing them to remove all
non-priveledged group access, and altering the home directory locations.  Moving
from debian to FreeBSD - can we recover, and or just use the exited encrypted
passwords, or just blank everything and reset them all manually later?

So far, the entire system is rebuilt with FreeBSD 4.x stable branch,  the only
information we are moving over from the old server is
	- user public_html directories (chowned and chmodded to the users permissions)
	- portions of the httpd.conf (namely virtualhost containers) edited as
	- mysql databases

any vulnerabilities that could be transported as a result of moving this
information over?

thanks for any help or direction with the above issues.


More information about the freebsd-isp mailing list