0
0
0
s2sdefault

In a bit of a panic, I moved all kinds of grub files, without fully realizing the consequences later on... In any case, I am going over the files that I do have, and noting what differences may exist. If there's anything that would cause my booting problems, it is likely the bootloader, grub.

Using an app called diffuse, I am comparing grub files from my hijacked server, to a lab machine with the same version of CrunchBang (the OS in use). I will note the files and what differences (or lack thereof) there are.

To start, I need to weed out the files that I cannot do much with. So I ran the following commands:

rm *.mod

rm *.img

rm *.o

In the end, I am somewhat sure that some of these files may have been altered, and can potentially contain the reason my server wasn't booting in the expected order. That being said, I do not know what to do with these files, or how to even start examining them for any said differences. I know I could run some MD5Sum checks on the files, but I would expect some differences in some files, and hackers who create this malware, is all on top of that, and can make sure that the MD5Sum works out to the same as it's un-altered couterpart. So needless to say, these files are somewhat useless to me; so I will delete them to narrow down to the files that I CAN work with.

 

Here are the files that were left...

 

command.lst

no differences

crypto.lst

no differences

device.map

clear difference on the exact HDD in use, otherwise no real difference

fs.lst

no differences

moddep.lst

no differences

partmap.lst

empty, no differences

parttool.lst

empty, no differences

terminal.lst

no differences

video.lst

no differences

grubenv

no differences

 

At this point, I did not expect to see any differences in these files (other than the expected device.map difference). This next file, I expect to see some key differences:

grub.cfg

difference on hostname (expected)

difference on HDD UIDs (expected)

no other differences

 

Well shit... I really expected this file to be the "smoking gun" for my boot problems, but it seems otherwise. Then again, leaving any obvious differences in these files would again be another clear indication of a hack, and would again be somewhat similar to leaving your wallet behind during a home invasion... Well, on to other files.

 

Add comment


Security code
Refresh

0
0
0
s2sdefault