Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Brian <ad44@cityscape.co.uk>
Date: Tue, 6 Jan 2015 19:20:20 +0000
Message-id: <[🔎] 20150106192020.GD3403@copernicus.demon.co.uk>
In-reply-to: <[🔎] 1677582.HZp1z1gOUd@merkaba>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 9799365.fXC8NsNPWO@merkaba> <[🔎] 20150106195126.GA8038@fever.havannah.local> <[🔎] 1677582.HZp1z1gOUd@merkaba>

On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote:

> Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny:
> > Hi guys,
> > 
> > I am afraid my happiness was short lived. To test if the deletion of the
> > file (and the effects thereof) would be permanent I rebooted the system and
> > consequently found another file (same size, same random lettering) booted
> > up with everything else. :( ... The culprit is well hidden and regenerates
> > itself ...
> 
> Well… if something creates a file in /boot, it needs to be started somewhere. I 
> still bet an examination along the ideas I suggested from a live distro may 
> reveal where the file is created. Or it may not, at least not easily, if a 
> changed binary creates the file, instead of some script. Its still not clear 
> whether its really a malware or just some broken third party software you 
> installed, but… if you didn´t install any broken third party software and it 
> really is, read on.

Are we now to assume these files are only created on boot? The OP could 
at least look into this and let us know whether this is so. It looks to
me there is some configuration which creates them. The configuration is
far more likely to have been produced by him than some invader.

> > I did "file -k", "grep -ir" and most of the other things you guys suggested,
> > but nothing showed up. I am now going through the "after-compromise"
> > chapter as one of you suggested.
> 
> That doesn´t make sense to me. At least file -k on one of the files should show 
> some output.

Doesn't make sense to me either. The file command produces something.
Your mentioning of it was really a suggestion for the OP to provide
its output. The invitation wasn't taken up.

> > I will run "sleuthkit" and report if anything is found. However, I am afraid
> > a backup and re-installation is on the horizon for me ...... sigh .....
> > 
> > Can I make the "/etc/init.d" directory readable only with the contents
> > thereof still executable ... untill I can properly back-up and install
> > everything again? ... or maybe some other short term solution ...
> 
> No. In case of a compromise, *reinstall* from *scratch*.
> 
> Its that easy.

Or....

If the machine is not compromised - fix it.

It's that easy.

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Mart van de Wege <mvdwege@gmail.com>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread