Koozali.org: home of the SME Server

5.6 Hacked/Rooted, Trying to recover

Brian L.

5.6 Hacked/Rooted, Trying to recover
« on: March 31, 2004, 03:10:45 PM »
Everyone,

Well, I have a clients box that was rooted earlier this week. I have taken it offline, but there is data that I would like to get off of this box before I format it.

This box is 5.6 with most current updates. I will be moving this client to 6.0.1 ISO after I get the data off, but for now, I cannot get into the machine for a variety of reasons.

1 - I cannot get through the full boot, it halts just after "Enabling Swap Space -- OK". So, could someone provide a way for me to turn off services, so I can just get to a login? I have tried CTRL-X, then "Mitel-SME Emergency rw", but this asks for root password (explained in next problem). Booting normall always halts right after "Enabling Swap Space". Any help would be appreciated, perhaps in editing a file that can disable services.

2 - The root password has been changed. I have booted in with Knoppix to change the /etc/shadow file, to remove the root password, but this doesnt ever seem to have any impact. I remove the * between the first and second ":", save, and reboot, and the root password is still there (I am able to test using Mitel-SME emergency rw"). Any other good ideas on how to change root password? If I can fix #1, I can probably do this with "Mitel-SME single", but for now that just freezes after enabling swap like above.

Any help greatly appreciated.

Brian

Brian L.

Update
« Reply #1 on: March 31, 2004, 03:59:27 PM »
For problem #1, I am somewhat sure it is not the SWAP, as I have tried creating a new swap using mkswap -c /dev/hda2 from knoppix. This worked fine.

So, an additional question for problem #1 is: How can I find out the file where things boot, so I can disable the next thing after "enabling swap", whatever it is. Even finding out what is is would be useful even if I cant change it.

Thanks
Brian

Offline Boris

  • *
  • 783
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #2 on: March 31, 2004, 10:07:16 PM »
Why not copy data off this server while booted from Knoppix CD?
...

Brian L.

5.6 Hacked/Rooted, Trying to recover
« Reply #3 on: March 31, 2004, 11:51:10 PM »
One word: MySQL. The data I need is buried in multiple mysql databases, and the easiest/best way for me to get the data off is to be able to boot in and do a sql backup.

Brian

Brian L

Another Question - Logs
« Reply #4 on: April 01, 2004, 12:26:26 AM »
Another Question that I have that falls into this general topic -- Where can I find files about the boot up? IE, so I can pinpoint what is going wrong right after enabling swap.

Someone, Anyone, Throw me a bone!

Brian

Brushfireb

Incentive!
« Reply #5 on: April 01, 2004, 01:45:43 AM »
Everyone,

To provide some incentive for someone to help me out, I am offering $50 via paypal to someone who can help me sort this out so I can just get the box up and running -- fixing the #1 problem is primary.

Brian

LoRz

5.6 Hacked/Rooted, Trying to recover
« Reply #6 on: April 01, 2004, 03:38:58 AM »
From the top of my mind there is an "interactive boot" option that can be used to allow/prevent services from being started.

try this:

1. Edit /etc/sysconfig/init to contain the line

PROMPT=yes

(If it's set to NO).
 
2. Reboot box and hold button "I" pressed during hardware configuration messages shown on the screen. At some point you'll see questions about which service start or not. Then you can select services you need to run. Hope, it may help to resolve your problem  :-).

Regards

Brian

5.6 Hacked/Rooted, Trying to recover
« Reply #7 on: April 01, 2004, 03:54:04 AM »
Lorz,

Thanks for the suggestion. I dont think the boot is getting far. After trying your suggestion, i doesnt do anything except echo onto the screen. tryed holding, tapping, pressing randomely, nothing.

Im not convinced the machine has even started loading services yet.

The last couple lines that I see are:

Finding Module Dependencies       [ OK ]
Checking Filesystems
  /Boot: recovering journal
  /Boot: clean, 33/26104, somenumber blocks
Mounting Local Filesystems        [ OK ]
Enabling Local Filesystem Quotas  [ OK ]
Enabling Swap Space               [ OK ]

It halts there, the line above just sits there forever.

Brian

Ed

5.6 Hacked/Rooted, Trying to recover
« Reply #8 on: April 01, 2004, 04:14:59 AM »
Can you login in single user mode?

I think  
ctrl-x  when the blue screen comes up.
? for list of kernels
then type '(kernel) single'  where (kernel) is one of the kernels listed.

Ed

Offline mdo

  • *
  • 355
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #9 on: April 01, 2004, 04:44:15 AM »
I would go with Boris' recommendation:

Boot from Knoppix to be able to check
- is that HDD still properly partitioned?
- can you run an file system check (e2fsck) on the existing partitions?

Regards,
Michael
...

Offline Boris

  • *
  • 783
  • +0/-0
5.6 Hacked/Rooted, Trying to recover
« Reply #10 on: April 01, 2004, 05:34:34 AM »
I am no MySQL guru (or any serious DB guru for this mater), but I have copied all the files from /var/lib/mysql folder (while MySQL server was stopped) to the new server before and it worked.
By the way I’ve done before almost the same with MSSQL data as well and it worked too.
...

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #11 on: April 01, 2004, 09:32:11 PM »
Quote from: "Ed"
Can you login in single user mode?

I think  
ctrl-x  when the blue screen comes up.
? for list of kernels
then type '(kernel) single'  where (kernel) is one of the kernels listed.

Ed


Yes, I have tried this. Strangely, I get "Segmentation fault" whenever I try to do anything.

I really think this system has huge HD corruption.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #12 on: April 01, 2004, 09:33:48 PM »
Quote from: "mdo"
I would go with Boris' recommendation:

Boot from Knoppix to be able to check
- is that HDD still properly partitioned?
- can you run an file system check (e2fsck) on the existing partitions?

Regards,
Michael


Michael,

Thanks for the tip. I have already checked the partitions, and can access all of them fine when I am booted from Knoppix. They mount find and I can move around and grab files. e2fsk runs fine, no errors.

I have even begun testing the hardware to see if that is an issue. Memtest86 returns all fine.

Anonymous

5.6 Hacked/Rooted, Trying to recover
« Reply #13 on: April 01, 2004, 09:35:11 PM »
Quote from: "Boris"
I am no MySQL guru (or any serious DB guru for this mater), but I have copied all the files from /var/lib/mysql folder (while MySQL server was stopped) to the new server before and it worked.
By the way I’ve done before almost the same with MSSQL data as well and it worked too.


I think this is what I am going to have to do. I have another unused machine that I am going to get access to this weekend, and I will do fresh install of 5.6 and try to grab the data out of MySql by copying files like you suggest.

I will let you know how I fare.

Brian

freddo

5.6 Hacked/Rooted, Trying to recover
« Reply #14 on: April 02, 2004, 04:06:35 AM »
Unfortunately u have been "rooted"

I have had 5 machines screwed up in the last two weeks. Your 'segmentation fault' message is because that particular command has been hacked.
eg if you try using ls in single user you may get the message but try dir and you wont.

the disk is fine just commands like ps, ls etc are screwed.

if you can mount the disk on a different machine you should be able to copy any data off.

I was lucky - only using them as firewalls so it was a simple rebuild fir me