Re: Is my system compromised
According to Todd Weaver,
> On Fri, Feb 03, 2006 at 06:24:02PM +0100, Ben Meijering wrote:
> [snip]
> > I was looking in my /etc/rc2.d directory to see what kind of services
> > were installed on my server.
> >
> > The contents of my rc2.d directory is as follows
> >
> > S10distwatchd S20courier-authdaemon S20nfs-kernel-server S89cron
> > S10sysklogd S20courier-pop S20pptpd S89watchd
> > S11klogd S20courier-pop-ssl S20samba S91apache
> > S14ppp S20exim S20ssh
> > S91apache-ssl
> > S15bind9 S20inetd S21nfs-common S99rmnologin
> > S15lwresd S20lpd S23killd
> > S99stop-bootlogd
> > S18portmap S20makedev S50proftpd
> > S19sshd S20mysql S89atd
> >
> > I couldn't find a man page for distwatchd and just tried to run it which
> > gave the following result:
>
> You *probably* should have less'd the file and not just executed it.
>
> You also could send the contents of the file in question, for review.
>
> > benspagina:/etc/rc2.d# /etc/init.d/distwatchd
> >
> >
> > FUCK: Got signal 11 while manipulating kernel!
> >
> > Searching for this last sentence I found all sorts of pages talking
> > about compromised servers.
> >
> > Is there a chance my system is compromised?
>
> You can try tiger...
> sudo apt-get update
> sudo apt-get install tiger
> sudo tiger
I'd not run anything else from a hard drive I suspect is
compromised. Reboot with a liveCD and examine it from
there.
Tony
Reply to: