From owner-freebsd-isp@FreeBSD.ORG Wed Apr 23 13:14:55 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0612537B404 for ; Wed, 23 Apr 2003 13:14:55 -0700 (PDT) Received: from web1.nexusinternetsolutions.net (web1.nexusinternetsolutions.net [206.47.131.12]) by mx1.FreeBSD.org (Postfix) with SMTP id 1337D43FDF for ; Wed, 23 Apr 2003 13:14:54 -0700 (PDT) (envelope-from dave@hawk-systems.com) Received: (qmail 3316 invoked from network); 23 Apr 2003 20:14:52 -0000 Received: from unknown (HELO ws1) (24.157.103.51) by web1.nexusinternetsolutions.net with SMTP; 23 Apr 2003 20:14:52 -0000 From: "Dave [Hawk-Systems]" To: Date: Wed, 23 Apr 2003 16:14:51 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Subject: disaster recovery after rootkit -> MySQL and user accounts X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2003 20:14:55 -0000 the new server is FreeBSD and this is an ISP hosting environment... other than that it doesn't really fit this group, but figured would have a good chance of hitting someone in here with some pearls of wisdom. Recently inherited a Debian Linux box from a small ISP. While it was scheduled to transfer everything over to our chosen platform (FreeBSD) we notices some peculiarities. Evidently one of the previous "sysadmins" had given out his login information to allow people to fix their own problems. Sure enough, check the server and somone had installed a root kit, dont' a poor job, and now the box was melting down. The end result is managed to tar up user web directories, passwd files, etc... and get most of the information off of it. Two major hurdles remain. 1) Mysql won't start due to all the corrupted libraries. While I can copy all the data files from the data directory, not sure how or if we could import all this back into mysql on the new server and still have mysql user/password and permissions still in place (there are about 30 databases) 2) to recreate all the user FTP accounts, we are looking to import the passwd/shadow/group files. We will be editing them to remove all non-priveledged group access, and altering the home directory locations. Moving from debian to FreeBSD - can we recover, and or just use the exited encrypted passwords, or just blank everything and reset them all manually later? So far, the entire system is rebuilt with FreeBSD 4.x stable branch, the only information we are moving over from the old server is - user public_html directories (chowned and chmodded to the users permissions) - portions of the httpd.conf (namely virtualhost containers) edited as necessary - mysql databases any vulnerabilities that could be transported as a result of moving this information over? thanks for any help or direction with the above issues. Dave