Hi,

My server has been compromised by what we believe is a rootkit. Our datacenter is going to take the server offline and reload the OS.

psadump is not working on the system, so I had to make manual backups. I backed up the following:

/home/httpd/vhosts
/etc
/var/lib/mysql (I also did a huge mysqldump --all-databases)
/var/lib/psa
/var/named
/var/qmail
/usr/bin/psa

When the system is restored on the main drive, what advice can anyone give on restoring the system and any steps I need to take to do this properly?

Thanks,

Carter

Just CP everything back, they should come up properly.

they installed Plesk 7.1.6, whereas i had 7.1.4

is this going to screw up the process?

Originally posted by VagrantHost
they installed Plesk 7.1.6, whereas i had 7.1.4

is this going to screw up the process?

No it will not. They had to install 7.1.6, since 7.1.4 is outdated.

one other question... do i have to restore the whole /etc directory? or are they specific files that i can restore without having to do the whole thing?

If it's just a restore on the same system, restoring the whole /etc/ won't hurt.

Acunett BAD IDEA!!! You should know that. If the server is root compromised before you restore them you MUST check the integrity of the passwd and shadow files. In my opinion that would be a stupid move. Also check xinetd files, backdoors are hidden there aswell, very easily.

well, are there any files in any of those folders that i should NOT restore? again, the new version is 7.1.6 compared to 7.14.

Originally posted by VagrantHost
well, are there any files in any of those folders that i should NOT restore? again, the new version is 7.1.6 compared to 7.14.

That is beside the point. Before you retore anything from the etc directory you need to make sure the attacker did not install a backdoor in them for example /etc/xinetd.d/, /etc/passwd, /etc/shadow, /etc/rc.sysinit, /etc/rc.local are just some examples.

i moved stuff over, but i'm getting the following errors on "service psa start"

===> Reading /etc/psa/psa.conf ...
db_connect: failed to connect to database: Error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)
Unable to connect to mysql database
Starting psa-spamassassin service: [FAILED]
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)
ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)
db_connect: failed to connect to database: Error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)
db_connect: failed to connect to database: Error: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (111)
Key register failed
/usr/local/psa/admin/bin/httpsdctl: line 227: 19159 Terminated $HTTPD
/usr/local/psa/admin/bin/httpsdctl start: httpd could not be started
Starting Plesk: [FAILED]

Did you import your databases?? Including the "psa" database?? Did you copy /etc/psa ???

by import, do you mean a mysql querie or just copying the /var/lib/mysql directory over? i copied the directory over, but i'm having some problems with the mysql password.

i did copy the /etc/psa directory over.

for some reason, there is no user "admin".

You need to actually create a mysql database called psa
and import the data, like a dump, but the reverse..

my sql backup file is a dump of all databases, using the --all-databases command.

i don't suppose you know the command to restore that?

Try: mysql -u root -psecret < backup.sql

Originally posted by thelinuxguy
Acunett BAD IDEA!!! You should know that. If the server is root compromised before you restore them you MUST check the integrity of the passwd and shadow files. In my opinion that would be a stupid move. Also check xinetd files, backdoors are hidden there aswell, very easily.

Yes very true, I don't know what I was doing, I must have been thinking along the lines of hardware failure.