Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Danny <mynixmail@gmail.com>
Date: Tue, 6 Jan 2015 21:51:26 +0200
Message-id: <[🔎] 20150106195126.GA8038@fever.havannah.local>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 9799365.fXC8NsNPWO@merkaba>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 9799365.fXC8NsNPWO@merkaba>

Hi guys,

I am afraid my happiness was short lived. To test if the deletion of the file
(and the effects thereof) would be permanent I rebooted the system and
consequently found another file (same size, same random lettering) booted up
with everything else. :( ... The culprit is well hidden and regenerates itself
...

I did "file -k", "grep -ir" and most of the other things you guys suggested, but
nothing showed up. I am now going through the "after-compromise" chapter as one
of you suggested.

I will run "sleuthkit" and report if anything is found. However, I am afraid a
backup and re-installation is on the horizon for me ...... sigh .....

Can I make the "/etc/init.d" directory readable only with the contents thereof
still executable ... untill I can properly back-up and install everything again?
... or maybe some other short term solution ...

Thank You

Danny

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread