Re: rootkit/virus/trojan on squeeze 32 bit
On 2013-03-12 10:36 +0100, Sergey Spiridonov wrote:
> On 03/12/2013 01:23 AM, sp113438 wrote:
>
>> No solution, but how did you find out about the changed size?
>
> This is all happening on the remote machine of my friend. I do not
> have direct access to hardware.
>
> First skype refused to start complaining about modified binary. I
> reinstalled skype from the same deb file (some old 2.x) and noticed
> that binary file size and md5 was changed. After system reboot skype
> refused to start again and I find out that its binary changed size and
> md5. I tried debsums - it does not show any error.
FWIW, it is possible that the files had been subject to being treated
with prelink(8); debsums will not report those files unless called with
the "--no-prelink" option.
> I compared some other binaries like passwd, dash and hddparm with my
> local passwd, hddparm and dash. Remote binaries were larger. debsums
> does not show any problem again. Additionally passwd looses sticky
> bit.
Well, that's certainly not supposed to happen.
> I copied passwd, dash, hddparm, skype binaries on my local machine and
> tried clamscan, avast and bitdefender. They did not detect anything.
>
> So this must be something new.
>
> I wonder, is there any organization which takes care about such things?
Surely, there are several antivirus companies which let you upload and
scan files. I fed your passwd.bad to virustotal.com and virscan.org,
they checked it with several dozen engines and did not detect anything
either.
Cheers,
Sven
Reply to: