jbfixurpc at gmail.com
Tue Feb 23 22:47:00 UTC 2010
Just figured I might add a little direction to this.
1. If its a production system that impacts several users/customers your best
bet would be to rebuild the system from scratch, not an image. Yes takes
time, but investigating it will likely take longer. As you previously
mentioned the folk(s) that were in-charge of the system are no longer in
that capacity which could (depending on the "craftiness" of them) could have
left an intentional (or not) exploit now plaguing you.
2. If your intent on finding a root cause you will probably need to spend
quite a bit of time and caution investigating the said system. As soon as
theres mention of a "rootkit" everything is suspect, i.e. ls might not be
ls, df may not be df. Might be worth adding the volume to a known good
system mounting it and comparing the image/structure and said files. But of
course as I mentioned above, if its a critical system then your kind of
stuck with an aggressive time line so...
Obviously an IDP will mask the issue, but won't fix it.
More information about the NANOG