[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Lost web interface w/ raq4
- Subject: Re: [cobalt-users] Lost web interface w/ raq4
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Wed Jun 5 14:04:00 2002
- Organization: nobaloney.net
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Jim Dory wrote:
> Oh boy. Now I'm thinking hacked. Ran chkrootkit and it reports 3 hidden
> procs and possible LKM worm. Now I get to spend my day trying to figure
> out how to recover. If I can confirm it, looks like I may have to
> reinstall. No clue how, but I'm sure plenty has been written on the
> subject. If anyone wants to jumpstart me on it before I start my
> research, that'd be cool.
Jim, there are some false alarms you can get from chkrootkit, but if it
says you've got a possible LKM worm, then you probably do <frown>.
Give me a call if you'd like; the most important thing is to have the
latest rebuild CDROM, to run it first as a dry run, to read the
instructions and to make sure you've got the right kind of nic card, so
you'll be able to rebuild your Raq.
Then you'll want to use CMU to copy off the sites. We create the
/home/cmu subdirectory, then tar it up using
# tar -xzf whateverdirectory /home/cmu/whateverdirectory
(where whateverdirectory is the name of the directory (just under
/home/cmu) that you're backing up) . If you've installed any custom
software on your Raq you'll want to have the latest copies available to
save time when rebuilding your RaQ.
If you've saved any information on your RaQ outside of
site-space/user-space, you'll want to copy it off as well, as CMU will
only copy site-space and user-space.
Call me if you'd like; we've got a lot of experience with this kind of
problem/rebuild.
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484