[App_rpt-users] DIAL update restore configs question
Loren Tedford
lorentedford at gmail.com
Fri Jun 16 13:46:42 UTC 2017
Typically when i come across a machine that I believe has been compromised
the first thing i do is remove it from the network completely.. If possible
i boot it up in finnex or a similar utility tool and then i run clam av via
command line after mounting the drives manually.. Next i personally only
grab files that are of text nature and to ensure that nothing else maybe
attached i use the cat command to display the text of example conf files
and then copy and past them into an editor of your choice.. Personally i
use Notepad ++ on my windows machine for each one of the files re saving
them on my machine.. If I was to guess you were probably root kitted this
is common these days however its usually difficult to find the root kits
while in the os.. Tools like Finnex are nice because your no longer in that
os and generally speaking can search hidden files a little easier.. Still
not going to be fun.. What i would recommend in the future is to setup your
node the way you want it then clonezilla it or reimage it and store it in a
safe spot.. This way if you run into this issue in the future your back up
and running in short order.. Just my 2 cents..
Loren Tedford (KC9ZHV)
Phone:
Fax:
Email: lorentedford at gmail.com
Email: KC9ZHV at KC9ZHV.com
http://www.lorentedford.com
http://www.kc9zhv.com
http://forum.kc9zhv.com
http://hub.kc9zhv.com
http://Ltcraft.net <http://ltcraft.net/>
http://voipham.com
On Fri, Jun 16, 2017 at 8:06 AM, DuaneVT . <selkie2 at comcast.net> wrote:
> I have copied my entire /etc/asterisk folder. When I re-image the hard
> drive, how best to restore the custom conf files..
> The question is how best to maintain configs for a possible re-image.
> There is a "include custom" statement at the bottom of most conf files.
> Exactly what is expected as a custom conf? The entire config, but with user
> changes? Does the template conf run and then the exact same customized conf
> file? This has not been explained in much detail.
>
> I COULD copy the ENTIRE SD contents after any ssh change, but that MIGHT
> also capture any hacked-but-dormant changes.
>
> More experienced administrator comments are appreciated.
> 73,
> Duane KA1LM
>
> _______________________________________________
> App_rpt-users mailing list
> App_rpt-users at lists.allstarlink.org
> http://lists.allstarlink.org/cgi-bin/mailman/listinfo/app_rpt-users
>
> To unsubscribe from this list please visit http://lists.allstarlink.org/
> cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of
> the page. Enter your email address and press the "Unsubscribe or edit
> options button"
> You do not need a password to unsubscribe, you can do it via email
> confirmation. If you have trouble unsubscribing, please send a message to
> the list detailing the problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20170616/8cf8465e/attachment.html>
More information about the App_rpt-users
mailing list