[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Have I been hacked?


Le 06.01.2015 19:04, Danny a écrit :

However, I have a few other weird looking files in the /boot
directory. Can you
guys please have a look at them and tell me if they are normal or not. 

#########################################################
drwxr-xr-x  3 root root 4.0K Jan  6 19:35 .
drwxr-xr-x 24 root root 4.0K Jan  3 17:23 ..
-rwxr-xr-x  1 root root 648K Jan  6 19:03 aknaykocbs
-rwxr-xr-x  1 root root 648K Jan  1 11:34 bxerzoalfk
-rw-r--r-- 1 root root 157K Dec 10 18:57 config-3.16.0-0.bpo.4-686-pae 
-rw-r--r--  1 root root 132K Dec  8 00:36 config-3.2.0-4-686-pae
-rwxr-xr-x  1 root root 648K Dec 20 08:04 cwpgfmvkrk
-rwxr-xr-x  1 root root 648K Dec 30 22:41 czhlgmsgzh
-rwxr-xr-x  1 root root 648K Dec 30 20:03 dkseypedtx
-rwxr-xr-x  1 root root 648K Jan  3 15:14 esijfkmwnd
-rwxr-xr-x  1 root root 648K Dec 27 14:49 fndswijgdk
-rwxr-xr-x  1 root root    0 Dec 20 08:14 gbwokvqoch
drwxr-xr-x  3 root root  12K Jan  3 17:23 grub
-rwxr-xr-x  1 root root 648K Jan  5 07:28 gyimenpwnt
-rwxr-xr-x  1 root root 648K Dec 31 17:49 hjmmvaxfzq
-rwxr-xr-x  1 root root 648K Dec 15 21:25 hutaslspbf
-rw-r--r-- 1 root root 14M Jan 3 17:25 initrd.img-3.16.0-0.bpo.4-686-pae 
-rw-r--r--  1 root root  11M Jan  2 22:01 initrd.img-3.2.0-4-686-pae
-rwxr-xr-x  1 root root 648K Jan  2 18:47 isrgzlchmx
-rwxr-xr-x  1 root root 648K Dec 27 14:56 izytxsbskq
-rwxr-xr-x  1 root root 648K Jan  5 18:40 kvvcqvddix
-rwxr-xr-x  1 root root 648K Jan  1 11:19 ryrfvxjggh
-rwxr-xr-x  1 root root    0 Jan  5 19:08 sgopxfsiac
-rw-r--r-- 1 root root 2.0M Dec 10 18:57 System.map-3.16.0-0.bpo.4-686-pae 
-rw-r--r--  1 root root 1.6M Dec  8 00:36 System.map-3.2.0-4-686-pae
-rwxr-xr-x  1 root root 648K Dec 30 20:40 ttqssdikcn
-rwxr-xr-x  1 root root    0 Dec 26 17:11 utxlhlmnix
-rwxr-xr-x  1 root root    0 Dec 12 07:29 vdqepbezvg
-rw-r--r-- 1 root root 2.9M Dec 10 18:56 vmlinuz-3.16.0-0.bpo.4-686-pae 
-rw-r--r--  1 root root 2.6M Dec  8 00:35 vmlinuz-3.2.0-4-686-pae
-rwxr-xr-x  1 root root 648K Dec 31 17:30 wevzubbsgn
-rwxr-xr-x  1 root root 648K Jan  1 09:46 xjeemjyuly
-rwxr-xr-x  1 root root 648K Jan  1 17:10 zfmpizunja
-rwxr-xr-x  1 root root 648K Jan  1 10:00 zkdjlvhuui
-rwxr-xr-x  1 root root    0 Dec 30 22:32 zpaqgbuxvr
########################################################
What bothers me is that the "other" files are all the same size (648k) as the suspected file I removed and they are very recent additions to the /boot 
directory.

Thank You

Danny


Hello.
Imho you can safely remove those files, which seems to be a random suite of characters.
Oh, and, if your /boot is on another partition, just do not mount it automatically, or if it is really needed, mount it as read-only. If, really, really, you need to write on it frequently (except for kernel updates, I mean) then, you could add it a flag to avoid code execution from it, I think.
I usually place the boot partition on a different partition for other reasons, like: _ putting there an ISO to boot in case of emergency (so I can boot on it, and install or repair a system without too many troubles) _ storing my lilo configuration file instead of /etc (useful, because lilo does not detect automatically other OSes... but it's far easier to customize than grub) _ and sometimes putting several kernels of several OSes in the same place (but this is not really useful since many many stuff goes in /lib anyway, plus, it tends to become messy to update my kernels since I have never tried to automatically ask to systems to put an OS's kernel in a subfolder. For Debian I think there might be a solution with hooks in the apt system... should search more about it someday).
Obviously, I don't do that on VMs (mostly only default stuff there), so here is a ls command on a ls on a sane system: 

:/boot$ ls
config-3.2.0-4-amd64 grub initrd.img-3.2.0-4-amd64 lost+found System.map-3.2.0-4-amd64 vmlinuz-3.2.0-4-amd64
Reply to: