Re: Am I paranoid?
On Mon, 24 Feb 2014 17:28:32 +0100
ha <hiei.arhiva@gmail.com> wrote:
>
> >
> > debsums -ac -r /mnt
> >
> Great, thanks! I didn't know about debsums.
> However, it does not report anything when started from the debian live usb.
Well, that's good. Meaning, that's simply a misuse of root, not a
rooted host. No reinstall in necessary, probably, simple removal of:
/etc/init.d/vmtoolsd
/etc/pam.d/vmtoolsd
/usr/bin/vmtoolsd
should do it.
Don't forget to change the root password just in case.
> I will format disk and do the fresh install anyway, but I simply do not
> understand how something like this could be done. This is the first time
> I noticed something like this, simply because it is a fresh install.
Three possible ways:
1) Unofficial install media. You won't believe what kind of strange
gizmos people put into these ;)
2) Lack of physical security. Remove an HDD, place it into another
host, copy some files, put back.
3) Someone has a root password, and that's not you. Or, you left root
shell and an unlocked screen, someone has used it.
> By the way, do not have sshd installed (and there is no /usr/sbin/sshd).
I mentioned sshd as an example. There are plenty of ways to do remote
connection to the host (telnet, VNC, XDMCP), all of them can be used
for the root access.
Just to be on a safe side, scan your host with 'nmap -sT -sU 1-65535'
for both ipv4 and ipv6. Consider blocking everything unneeded with
iptables.
> And no suspicious users in /etc/passwd.
That's good.
Reco
Reply to: