Re: rootkit/virus/trojan on squeeze 32 bit
On Tue, 12 Mar 2013 01:23:09 +0100
sp113438 <sp113438@telfort.nl> wrote:
> On Tue, 12 Mar 2013 00:19:27 +0100
> Sergey Spiridonov <sena@hurd.homeunix.org> wrote:
>
> > Hi Debian
> >
> > Just detected several modified binaries on one of my Debian Squeeze
> > 32 bit,
> > like /usr/bin/passwd, /bin/dash, /sbin/hdparm, /usr/bin/skype etc.
> > Modified files are bigger in size, but debsums does not complain
> > about them. I tried clamscan and avast on this binaries on another
> > host, they did not find anything. I also tried chkrootkit and
> > rkhunter (but I did not get possibility to boot from safe media
> > yet).
> >
> > You can find some good and binaries here [1]. This virus/rootkit
> > seems to be clever enough to deceive debsums, so it is
> > Debian-related.
> >
> > 1. http://hurd.homeunix.org/~sena/bad-skype/
> >
> > If I reinstall binaries, they become normal size, but become
> > changed again after reboot.
> >
> > Any ideas? What else needs to be done? Currently I am going to
> > reinstall Debian box.
>
> No solution, but how did you find out about the changed size?
>
>
After running on my amd64 squeeze:
# rkhunter --update
rkhunter -c
rkhunter showed one warning:
Warning: Checking for possible rootkit strings [ Warning ]
[01:25:23] Found string 'hdparm' in file
'/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit
[01:25:23] Found string 'hdparm' in file '/etc/init.d/hdparm'.
Possible rootkit: Xzibit Rootkit
> I did not get possibility to boot from safe media yet
You can go to rescue mode with your installation medium (via expert
mode)
Reply to: