Re: Am I hacked?
On Thu, Jun 16, 2005 at 11:36:18AM -0400, Kevin B. McCarty wrote:
> Date: Thu, 16 Jun 2005 11:36:18 -0400
> From: "Kevin B. McCarty" <kmccarty@Princeton.EDU>
> User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
> To: debian-user@lists.debian.org
> Subject: Re: Am I hacked?
>
> Michal Sedlak wrote:
>
> > I am nearly sure that my server was hacked, but I want to be sure. Can anybody say me if it is true.
> >
> > Here is tiger script output. Do you have any ideas how to repair it {no mkfs funny stuff please}
> > There are some line interesting. I have one for every critical system command like {login, su, etc}
> > --WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x) matched the /bin/netstat on this machine.
> > and something like this for some kernel modules
> > --FAIL-- [lin005f] Installed file `/lib/modules/2.6.8-2-386/modules.symbols'
> > checksum differs from installed package 'kernel-image-2.6.8-2-386'.
>
> Could you try running chkrootkit and send the results to this list? A
> Debian package exists, but you may want to install it manually (install
> the package to another machine and copy over the files) if you don't
> know whether apt-get et al. have been trojanned.
If his kernel have been LKM trojanned, then you cannot trust your
kernel any more. So I think it is better to boot from a live CD and than
run chkrootkit and make sure you copy chkrootkit from a trusted
installation.
Best wishes
--
Alexei Chetroi
Smile... Tomorrow will be worse. (c) Murphy's Law
Reply to: