[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is my system compromised

According to Todd Weaver,
> On Fri, Feb 03, 2006 at 06:24:02PM +0100, Ben Meijering wrote:
> [snip]
> > I was looking in my /etc/rc2.d directory to see what kind of services
> > were installed on my server. 
> >  
> > The contents of my rc2.d directory is as follows
> >  
> > S10distwatchd  S20courier-authdaemon  S20nfs-kernel-server  S89cron
> > S10sysklogd    S20courier-pop         S20pptpd              S89watchd
> > S11klogd       S20courier-pop-ssl     S20samba              S91apache
> > S14ppp         S20exim                S20ssh
> > S91apache-ssl
> > S15bind9       S20inetd               S21nfs-common         S99rmnologin
> > S15lwresd      S20lpd                 S23killd
> > S99stop-bootlogd
> > S18portmap     S20makedev             S50proftpd
> > S19sshd        S20mysql               S89atd
> >  
> > I couldn't find a man page for distwatchd and just tried to run it which
> > gave the following result:
> 
> You *probably* should have less'd the file and not just executed it.
> 
> You also could send the contents of the file in question, for review.
> 
> > benspagina:/etc/rc2.d# /etc/init.d/distwatchd
> >  
> >  
> > FUCK: Got signal 11 while manipulating kernel!
> >  
> > Searching for this last sentence I found all sorts of pages talking
> > about compromised servers.
> >  
> > Is there a chance my system is compromised?
> 
> You can try tiger...
>     sudo apt-get update
>     sudo apt-get install tiger
>     sudo tiger

I'd not run anything else from a hard drive I suspect is
compromised.  Reboot with a liveCD and examine it from
there.

Tony
Reply to: