Paul Taylor wrote:
I have now been "hacked" on 2 servers and (excuse the pun) I am hacked off
with the whole thing. On the latest one, the server appears fine but the
root password has been changed (man in the middle?). One of my isps just
said back up the main data and re-image the machine. That seems somewhat
excessive? I have access to revovery mode and all my files are mounted.
What should I do???
If your box is rooted, then a complete reinstallation from known good
install media is the only way to be sure of a clean installation.
A rooted box can have special binaries installed that hide certain
processes and prevent the detection of root kits and back doors. If the
compromise was "just" via a webserver and no privilege escalation
occured, then you might be able to get away with tightening your
settings, but this doesn't sound like the case if the root password has