Re: is this result of keylogger? am i hacked?
On 07/21/2010 06:45 PM, Chris Davies wrote:
> For breakage of something as significant as /etc/shells, I'd prioritise
> investigations in that order. Memtest86+ is a no-brainer, so let it
> test your machine. Are you using a kernel that's got known issues with
> whatever filesystem you are using for /etc? (Have you looked?)
I will do checks today just need to buy cdrom first. I will report
memtest86+, fsck and chkrootkit results this evening. Kernel is current
squeeze kernel. Filesystem is ext3. AFAIK ext3 is quite stabe now.
Today i found addidtionaly hidden files in /etc
.passwd.swn and similar .p.*
file tells that they are vim swap files, but inside they also contain
keyboard logs (among other data).
> What was the outcome of your investigation into the previous situation?
The prevoius situation happens on the providers virtual hosting, so I
can not do a lot. Perfromed nmap from outside, chkrootkit from inside
with no results.