On 25 May 2004 17:55:04 -0700, nsajus@yahoo.com (Ann) wrote:

>Hi,
>
>I had been running a Redhat 9 Linux server. Today when i ran nmap I
>saw a new entry called Elite using port 31337. I disconnected the
>computer from the network and tried to restart the machine. On
>restarting it went to INIT-2.05b
>prompt. Is there anyway i can restore my server back?:((
>
>I removed this hard disk and tried to make this a secondary hard drive
>on another redhat linux machine(whose hard disk will serve as the
>primary hard disk.) in the hope that i can mount the second hard disk
>and browse the contents and make backups..After i install the
>corrupted hard disk along with the good redhat linux hard disk, and
>restart it, it shows the primary hard disk(the good redhat disk) info
>and then it just hangs. I read some where that the second hard disk
>should be automatically be detected by the redhat machine, but it
>doesn't get there..Does it matter if the hard disks on both the
>machine are named hda? Is there a way to rename one of them to hdb? I
>know all these must be stupid questions..I am kind of new at this..
>
>Can anyone please help me? I'll be eternally grateful..
>
>Thanks,
>Ann


So it just booted to single user mode then? You might have been able
to just do 'init 3' or 'init 5'. If the system has been compromised,
you just want to get the data files off and rebuild the install. No
telling how many backdoors were installed.

As for the disk problem, you probably need to set the disk to be a
slave. In theory, duplicate labels should not be an issue as it
should mount the first matching label found which should be on the
first disk. Despite theory, I have had it not work correctly.

For forensics purposes, I would start by making an image of the drive.
If the hacker was any good, most of the evidence is gone or hard to
find (eg files deleted, but possibly recoverable).


-Chris