Re: Is my system compromised
I'm not familiar with chkrootkit. It sounds like the Microsoftian
antivirus mindset of looking for known compromises, which is a
mindset I avoid. My own methodology would be to examine
the script in question, and poke around at other files. If
the system looks compromised, I'd do a fresh clean install
(on a new hard drive, for convenience), move my data files
over, make sure the new system is working properly, and wipe
the compromised drive. The thing is, once your machine has
been compromised, it's hard to know if you've removed every
trace. And then focus on prevention, an ounce of which is
worth pounds of "cure".
According to BTP,
> I did as you mention by booting from a knoppix cd and try to check the hard
> drive partitions with chkrootkit. Chkrootkit however did not run in the same
> typical manner as it does when I invoke it from my Debian console: it
> complained about not being able to do everything it's supposed to, I can't
> remember the details.
>
> Also I gave a quick try to install some virus scanner from the Knoppix
> software install menu, but I lost my interest into figuring all that out and
> did not perform a virus scan.
>
> I did not find any specific instructions on google for dealing with
> compromised systems using knoppix, other than what I tried to do.
>
> Does anyone have any links or specific hints regarding this??
>
> Bart
>
>
> >
> > I'd not run anything else from a hard drive I suspect is
> > compromised. Reboot with a liveCD and examine it from
> > there.
> >
> > Tony
Reply to: