Re: strange connection on port 111.. more question

From: Avery Payne (apayne@pcfruit.com)
Date: 08/16/01 

Message-ID: <00c101c12674$a82f79b0$7201a8c0@pcfruit.com>
From: "Avery Payne" <apayne@pcfruit.com>
To: "John Oliver" <john.oliver@hosting.com>
Subject: Re: strange connection on port 111.. more question
Date: Thu, 16 Aug 2001 09:58:21 -0700

> xyros wrote:
> >
> > do u have more ideas that the ways can find any backdoor, rootkit, or
any suspicous things?
>
> You're never going to find anything while that filesystem is live. You
> need to shut it down, mount the disk(s) RO on a known clean machine, and
> *then* search for the backdoors and such. But that's probably a waste
> of time... you only need to miss one, and the machine will be just as
> bad, if not worse, *very* quickly.
>
> You might as well put up a new box, transfer data and apps to it, and
> then burn the old one to the ground.

Get a fresh drive (assuming IDE drives), make it the primary install (say,
/dev/hda), make the 2nd drive some non-standard mount point (say, "old_root"
on /dev/hdb); use the fresh, "trusted" install to get your machine's
services back up and running, while simultaneously inspecting the
"untrusted" install. This has the added advantage of allowing you to
transfer custom scripts and settings from the old drive that can be
pre-verified by yourself as "safe", while searching for the backdoor(s) that
have been installed. It also shrinks your downtime. Be sure to not plug
the machine into an untrusted network before continuing.

Just my .02 cents.