Re: libcbtsysinfo in /home/user
On Fri, Jul 27, 2007 at 09:42:49AM -0700, Andrew Sackville-West wrote:
> On Fri, Jul 27, 2007 at 04:43:28PM +0200, Magnus Pedersen wrote:
> > I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it
> > there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank on
> > that filename. Has my system been compromised (theres is nothing out of the
> > ordinary anywhere else) or is there something I have missed?
>
> I run google with the "cbtsysinfo" and came up with this:
>
> http://spywarefiles.prevx.com/RRHGED043236257/CBTSYSINFO-0.DLL.html
>
> which while its obviously for windows, show the same storage path
> ($HOME/cbt/lib/). It looks to be a very new thing, so if it is some
> sort of malware and is so new (July 12) then perhaps it does exist for
> multiple platforms and just hasn't been reported yet...
If you haven't installed or upgraded any packages recently, and apt-file
search libcbt doesn't give any output (which it doesn't), then its safe
to assume that something other than a debian package or yourself put it
there.
Since there is a chance that the system has been compromised, pull the
plug. That may sound drastic but its possible for malware to sense a
shutdown in progress and do something nasty. Ditto if you pull the
network cable. Pull the plug then access that drive from either a
live-cd or installing the drive in a known-safe system. Mount the drive
read only, noexec, nosuid etc.
Look at /etc/passwd: is there a username magnus?
Then decide if you want to try to figure out what happend or if you want
to wipe the disk and reinstall.
The bottom line is that on a suspected system, you can't rely on any
executable or even any log files.
Good luck,
Doug.
Reply to: