Paul Taylor wrote:
Hi all:
I have now been "hacked" on 2 servers and (excuse the pun) I am hacked off with the whole thing. On the latest one, the server appears fine but the root password has been changed (man in the middle?). One of my isps just said back up the main data and re-image the machine. That seems somewhat excessive? I have access to revovery mode and all my files are mounted. What should I do???
If your box is rooted, then a complete reinstallation from known good install media is the only way to be sure of a clean installation. A rooted box can have special binaries installed that hide certain processes and prevent the detection of root kits and back doors. If the compromise was "just" via a webserver and no privilege escalation occured, then you might be able to get away with tightening your settings, but this doesn't sound like the case if the root password has been changed. Tony