Hi guys,

I've had a server hacked on my network running on CentOS (trixbox).

the root password was changed by intruder. so I tried to reboot using single mode on grub, however the disk was on READONLY and couldn't write passwd file.

So I reboot using trixbox CD and linux rescue option, and I managed to restore the password. but when I do mount -o remount,rw / it gives "SEGMENTATION FAULT"
when I do ifconfig i get the same thing and the eth0 comes up with "promiscuous mode" error which is another odd thing.

I tried to scan the kernel with chkrootkit and it was suspected on some of the things but did not give any information how to fix it.

I'm sorry to say this but I'm not a linux guru since I've been on Microsoft platform for a decade and now migrating to linux.

so if you know the solution to this please explain in basic steps that I can run.

Thanks a lot

I strongly recommend to set up the system again from scratch - you can never know what else the hacker changed on the system. Maybe there are some other backdoors, etc.

Hi

Thanks for the reply,
thats what i am intending to do. however I need to backup my databases from the latest state. and at this moment the mysql service doesn't run to fix it.


how can I do that?
thanks again

You can back up the /var/lib/mysql directory and then copy over the database directories from this directory to the new server. Usually this does not cause any problems.

Or booting the system with a liveCD like knoppix and copy the data to an usb drive or burn it to a cd.

Hi,

Thanks for your information. I will do as you mentioned about backup mysql folder, it is a good option

Thanks