On Wed, Jul 30, 2014 at 4:27 AM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> Once someone is in as root, they can manipulate your basic system
> libraries, including the ones used to build checksums and audit for
> intrusion. Take it offline and *replace* that OS, ASAP, and consider
> any passwords used on it to have been compromised.

Thanks for mentioning this, my response was pretty vague.

My recommendation (from an information security standpoint) was aimed
at determining the root cause of the infection, including reconnecting
it to a VERY isolated network with detailed host and network
monitoring. If you have hundreds of similarly configured systems, you
could have a very large problem soon on your hands. It is always a
good idea to figure out how an attacker gained access to a system.

Once "cleaned" (note the quotation marks), you can expect the system
to get reinfected quickly because the botnet operators assume that you
will restore from your last good backup, leaving the system in its
vulnerable state once again, so an re-infection will occur easily in
minutes.

As Nico pointed out, the only solution for returning a system to
production use is to perform a clean reinstall of the operating system
with careful analysis of any files copied over to the freshly
installed system.

Since any passwords on that system may have been compromised, you need
to change passwords including the root password on all impacted
systems that share credentials.

Since that means they may have gained access to additional systems,
this would be a good time to look into setting up file integrity
monitoring and detailed remote logging.

Brandon Vincent