Date: Wed, 23 Apr 2003 16:14:51 -0400 From: "Dave [Hawk-Systems]" <dave@hawk-systems.com> To: <freebsd-isp@freebsd.org> Subject: disaster recovery after rootkit -> MySQL and user accounts Message-ID: <DBEIKNMKGOBGNDHAAKGNKELGMNAB.dave@hawk-systems.com>
next in thread | raw e-mail | index | archive | help
the new server is FreeBSD and this is an ISP hosting environment... other than that it doesn't really fit this group, but figured would have a good chance of hitting someone in here with some pearls of wisdom. Recently inherited a Debian Linux box from a small ISP. While it was scheduled to transfer everything over to our chosen platform (FreeBSD) we notices some peculiarities. Evidently one of the previous "sysadmins" had given out his login information to allow people to fix their own problems. Sure enough, check the server and somone had installed a root kit, dont' a poor job, and now the box was melting down. The end result is managed to tar up user web directories, passwd files, etc... and get most of the information off of it. Two major hurdles remain. 1) Mysql won't start due to all the corrupted libraries. While I can copy all the data files from the data directory, not sure how or if we could import all this back into mysql on the new server and still have mysql user/password and permissions still in place (there are about 30 databases) 2) to recreate all the user FTP accounts, we are looking to import the passwd/shadow/group files. We will be editing them to remove all non-priveledged group access, and altering the home directory locations. Moving from debian to FreeBSD - can we recover, and or just use the exited encrypted passwords, or just blank everything and reset them all manually later? So far, the entire system is rebuilt with FreeBSD 4.x stable branch, the only information we are moving over from the old server is - user public_html directories (chowned and chmodded to the users permissions) - portions of the httpd.conf (namely virtualhost containers) edited as necessary - mysql databases any vulnerabilities that could be transported as a result of moving this information over? thanks for any help or direction with the above issues. Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DBEIKNMKGOBGNDHAAKGNKELGMNAB.dave>