Michal Sedlak wrote:
> I am nearly sure that my server was hacked, but I want to be sure. Can anybody say me if it is true.
>
> Here is tiger script output. Do you have any ideas how to repair it {no mkfs funny stuff please}
> There are some line interesting. I have one for every critical system command like {login, su, etc}
> --WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) matched the /bin/netstat on this machine.
> and something like this for some kernel modules
> --FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
> checksum differs from installed package 'kernel-image-2.6.8-2-386'.
Could you try running chkrootkit and send the results to this list? A
Debian package exists, but you may want to install it manually (install
the package to another machine and copy over the files) if you don't
know whether apt-get et al. have been trojanned.
--
Kevin B. McCarty <kmccarty@princeton.edu> Physics Department
WWW: http://www.princeton.edu/~kmccarty/ Princeton University
GPG: public key ID 4F83C751 Princeton, NJ 08544