Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Martin Steigerwald <Martin@lichtvoll.de>
Date: Tue, 06 Jan 2015 19:47:09 +0100
Message-id: <[🔎] 1677582.HZp1z1gOUd@merkaba>
In-reply-to: <[🔎] 20150106195126.GA8038@fever.havannah.local>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 9799365.fXC8NsNPWO@merkaba> <[🔎] 20150106195126.GA8038@fever.havannah.local>

Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny:
> Hi guys,
> 
> I am afraid my happiness was short lived. To test if the deletion of the
> file (and the effects thereof) would be permanent I rebooted the system and
> consequently found another file (same size, same random lettering) booted
> up with everything else. :( ... The culprit is well hidden and regenerates
> itself ...

Well… if something creates a file in /boot, it needs to be started somewhere. I 
still bet an examination along the ideas I suggested from a live distro may 
reveal where the file is created. Or it may not, at least not easily, if a 
changed binary creates the file, instead of some script. Its still not clear 
whether its really a malware or just some broken third party software you 
installed, but… if you didn´t install any broken third party software and it 
really is, read on.

> I did "file -k", "grep -ir" and most of the other things you guys suggested,
> but nothing showed up. I am now going through the "after-compromise"
> chapter as one of you suggested.

That doesn´t make sense to me. At least file -k on one of the files should show 
some output.

> I will run "sleuthkit" and report if anything is found. However, I am afraid
> a backup and re-installation is on the horizon for me ...... sigh .....
> 
> Can I make the "/etc/init.d" directory readable only with the contents
> thereof still executable ... untill I can properly back-up and install
> everything again? ... or maybe some other short term solution ...

No. In case of a compromise, *reinstall* from *scratch*.

Its that easy.

Especially when you do not know, how the file is created on bootup. It could be 
basically anywhere.

Really read:

https://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html

:)

I´d *switch* off the machine in the case of a compromise. This will also 
disconnect it from the network.

Then I´d use a live distro to make a file-based copy to a safe place. With 
rsync I bet.

Then I´d reinstall from scratch. And be extra careful with any data I copy 
back from the backup.

-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>

Prev by Date: Re: Hard Drive Issues - smartmontools
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread