Re: Have I been hacked?
Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny:
> Hi guys,
>
> I am afraid my happiness was short lived. To test if the deletion of the
> file (and the effects thereof) would be permanent I rebooted the system and
> consequently found another file (same size, same random lettering) booted
> up with everything else. :( ... The culprit is well hidden and regenerates
> itself ...
Well… if something creates a file in /boot, it needs to be started somewhere. I
still bet an examination along the ideas I suggested from a live distro may
reveal where the file is created. Or it may not, at least not easily, if a
changed binary creates the file, instead of some script. Its still not clear
whether its really a malware or just some broken third party software you
installed, but… if you didn´t install any broken third party software and it
really is, read on.
> I did "file -k", "grep -ir" and most of the other things you guys suggested,
> but nothing showed up. I am now going through the "after-compromise"
> chapter as one of you suggested.
That doesn´t make sense to me. At least file -k on one of the files should show
some output.
> I will run "sleuthkit" and report if anything is found. However, I am afraid
> a backup and re-installation is on the horizon for me ...... sigh .....
>
> Can I make the "/etc/init.d" directory readable only with the contents
> thereof still executable ... untill I can properly back-up and install
> everything again? ... or maybe some other short term solution ...
No. In case of a compromise, *reinstall* from *scratch*.
Its that easy.
Especially when you do not know, how the file is created on bootup. It could be
basically anywhere.
Really read:
https://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html
:)
I´d *switch* off the machine in the case of a compromise. This will also
disconnect it from the network.
Then I´d use a live distro to make a file-based copy to a safe place. With
rsync I bet.
Then I´d reinstall from scratch. And be extra careful with any data I copy
back from the backup.
--
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7
Reply to: