disaster recovery after rootkit -> MySQL and user accounts

Lewis Watson lists at visionsix.com
Wed Apr 23 13:50:33 PDT 2003 

----- Original Message -----
From: "Dave [Hawk-Systems]" <dave at hawk-systems.com>
To: <freebsd-isp at freebsd.org>
Sent: Wednesday, April 23, 2003 3:14 PM
Subject: disaster recovery after rootkit -> MySQL and user accounts


> the new server is FreeBSD and this is an ISP hosting environment...
other than
> that it doesn't really fit this group, but figured would have a good
chance of
> hitting someone in here with some pearls of wisdom.
>
> Recently inherited a Debian Linux box from a small ISP.  While it was
scheduled
> to transfer everything over to our chosen platform (FreeBSD) we notices
some
> peculiarities.  Evidently one of the previous "sysadmins" had given out
his
> login information to allow people to fix their own problems.  Sure
enough, check
> the server and somone had installed a root kit, dont' a poor job, and
now the
> box was melting down.

> 1) Mysql won't start due to all the corrupted libraries.  While I can
copy all
> the data files from the data directory,  not sure how or if we could
import all
> this back into mysql on the new server and still have mysql
user/password and
> permissions still in place (there are about 30 databases)
> So far, the entire system is rebuilt with FreeBSD 4.x stable branch,
the only
> information we are moving over from the old server is
> - user public_html directories (chowned and chmodded to the users
permissions)
> - portions of the httpd.conf (namely virtualhost containers) edited as
> necessary
> - mysql databases
>
> any vulnerabilities that could be transported as a result of moving this
> information over?
>
> thanks for any help or direction with the above issues.
>
> Dave

Hi Dave,
I moved from RH Linux to FreeBSD and it seems that I just shut down MySQL
tar'd the MySQL database directory and untarred on the new FreeBSD server.
Had no problem with the user table or anything of the sort.  While this
doesn't cover everything it perhaps will help on the MySQL aspect of
things.

Another thing I could say is to look at putting the VirtualHost lines in a
separate directory when you have time and doing an include statement
within the httpd.conf file. It makes things much more portable
http://httpd.apache.org/docs/mod/core.html#include
HTH,
Lewis

More information about the freebsd-isp mailing list