Ignorance is Bliss - How not to restore a hacked server…

Posted in Coding, On the Intertron, Rant by Will on July 20, 2006.

This article - How to restore a hacked Linux server is being dugg quite a lot.

Anyone who does this is being (to put it mildly) silly.

You want reasons? OK, I’ll give you reasons. Infact, I only need one reason: You can never trust what the operating system is doing, or is reporting.

But I’ll just run a comparison between the files and known good copies
Nope - if the OS is compromised, then it could simply be redirecting access requests to a copy of the real files.

…then I’ll check that it’s not running any services/etc that it shouldn’t
Who’s to say that the OS won’t simply hide that it’s running more

I’ll just leave it online while I copy all my data. I’ll even set up iptables rules to block all access except to/from the machine I’m backing it up to.
Same thing — you can’t trust that the machine isn’t still reporting*/recording sensitive information (or simply corrupting your precious data).

* = OK, so if you are running ethereal or something from another machine, then you can see all the traffic… without this, there’s no guarantees.

But they don’t have any backups! (or they want to recover some data which hadnt been backed up yet)
Pull the drive and swap it out for a new one. (Even expensive drives are still cheaper than a second lot of call-out fees and down-time)

If worst comes to worst, and the data is compromised/corrupted you might need to send the drive off to a data recovery lab.

Alternatively (but only as a fall-back option) back it all up before formatting the drive. Note: DONT use the compromised machine to access the data, while it’s still running the compromised OS.

But we don’t have another drive to copy it all over to
If this is for a company, they’ll have atleast one other machine, hijack it for a while to use as data storage until you can burn it to DVD or similar.

But I don’t have physical access to the machine because it’s co-located/hosted in a remote datacentre
Contact your datacentre, explain the situation, ask them what it’ll cost to have them pull the drive and put in a new one.

If you are being paid to do a system restore for a client, you should never ever allow the machine to keep running after a compromise. Ever.