These are some of the few things you can do if your system gets compromised by an intruder to the point that they have root access and have installed root kit in your system.
- Disconnect your system from the network. Remove your system from the Internet and from your local network. You should literally unplug the network connection (if it’s wired).
- Make a backup. Before you do anything else, make a backup of the system in its compromised state. The backup could be used to restore important data after carefull investigation. It could also be used as an evidence if there is a criminal investigation against the cracker or it could help you if the cracker used your system to attack others.
- Determine the method of entry. This step is easier said than done. Your log files may provide clues concerning the method of entry, as might symptoms of system misbehavior. As you research the security of important servers and other programs, you may discover a server or two with known security bugs that might have been used to gain entry.
- Wipe the system clean. Delete every system file on the computer—program files, libraries, configuration files, and so on. Do this by using an emergency Linux system and making new filesystems on the old partitions. As a minimal precaution, search any partitions you intend to keep for executable files (find /home -perm -0111 -type f should do the trick for /home) and evaluate whether they should be executable.
- Reinstall or recover the system. Reinstall the system from scratch or restore it from a backup. If necessary, restore your system’s configuration to its pre-intrusion state—for instance, set up your servers the way they were before the intrusion. If you restore either the entire system or configuration files from backups, be sure the backups were made before the intrusion.
- Upgrade system security. Update old packages and fix any possible methods of entry you identified. If you couldn’t identify anything specific, you’ll have to make do with package updates and increasing your general level of security.
- Restore to the network. Only after you’ve upgraded security should you contemplate returning the system to the network. At this point, your system should be clean and much harder to break into than it was before,