rootkit/virus/trojan on squeeze 32 bit

To: debian-user@lists.debian.org
Subject: rootkit/virus/trojan on squeeze 32 bit
From: Sergey Spiridonov <sena@hurd.homeunix.org>
Date: Tue, 12 Mar 2013 00:19:27 +0100
Message-id: <[🔎] khlopn$34n$1@ger.gmane.org>

Hi Debian

Just detected several modified binaries on one of my Debian Squeeze 32bit, like /usr/bin/passwd, /bin/dash, /sbin/hdparm, /usr/bin/skype etc.Modified files are bigger in size, but debsums does not complain aboutthem. I tried clamscan and avast on this binaries on another host, theydid not find anything. I also tried chkrootkit and rkhunter (but I didnot get possibility to boot from safe media yet).

You can find some good and binaries here [1]. This virus/rootkit seemsto be clever enough to deceive debsums, so it is Debian-related.


1. http://hurd.homeunix.org/~sena/bad-skype/

If I reinstall binaries, they become normal size, but become changedagain after reboot.

Any ideas? What else needs to be done? Currently I am going to reinstallDebian box.

--
Best regards, Sergey Spiridonov

Reply to:

Follow-Ups:
- Re: rootkit/virus/trojan on squeeze 32 bit
  - From: sp113438 <sp113438@telfort.nl>

Prev by Date: Re: how to properly add a dns server
Next by Date: Re: rootkit/virus/trojan on squeeze 32 bit
Previous by thread: RE: how to properly add a dns server
Next by thread: Re: rootkit/virus/trojan on squeeze 32 bit
Index(es):
- Date
- Thread