Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Martin Steigerwald <Martin@lichtvoll.de>
Date: Tue, 06 Jan 2015 20:28:04 +0100
Message-id: <[🔎] 5777066.KTOvfcT0Ng@merkaba>
In-reply-to: <[🔎] 20150106192020.GD3403@copernicus.demon.co.uk>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 1677582.HZp1z1gOUd@merkaba> <[🔎] 20150106192020.GD3403@copernicus.demon.co.uk>

Am Dienstag, 6. Januar 2015, 19:20:20 schrieb Brian:
> On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote:
> > Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny:
> > > Hi guys,
> > > 
> > > I am afraid my happiness was short lived. To test if the deletion of the
> > > file (and the effects thereof) would be permanent I rebooted the system
> > > and
> > > consequently found another file (same size, same random lettering)
> > > booted
> > > up with everything else. :( ... The culprit is well hidden and
> > > regenerates
> > > itself ...
> > 
> > Well… if something creates a file in /boot, it needs to be started
> > somewhere. I still bet an examination along the ideas I suggested from a
> > live distro may reveal where the file is created. Or it may not, at least
> > not easily, if a changed binary creates the file, instead of some script.
> > Its still not clear whether its really a malware or just some broken
> > third party software you installed, but… if you didn´t install any broken
> > third party software and it really is, read on.
> 
> Are we now to assume these files are only created on boot? The OP could
> at least look into this and let us know whether this is so. It looks to
> me there is some configuration which creates them. The configuration is
> far more likely to have been produced by him than some invader.
> 
> > > I did "file -k", "grep -ir" and most of the other things you guys
> > > suggested, but nothing showed up. I am now going through the
> > > "after-compromise" chapter as one of you suggested.
> > 
> > That doesn´t make sense to me. At least file -k on one of the files should
> > show some output.
> 
> Doesn't make sense to me either. The file command produces something.
> Your mentioning of it was really a suggestion for the OP to provide
> its output. The invitation wasn't taken up.
> 
> > > I will run "sleuthkit" and report if anything is found. However, I am
> > > afraid a backup and re-installation is on the horizon for me ......
> > > sigh .....
> > > 
> > > Can I make the "/etc/init.d" directory readable only with the contents
> > > thereof still executable ... untill I can properly back-up and install
> > > everything again? ... or maybe some other short term solution ...
> > 
> > No. In case of a compromise, *reinstall* from *scratch*.
> > 
> > Its that easy.
> 
> Or....
> 
> If the machine is not compromised - fix it.
> 
> It's that easy.

Sure, thats why I wrote:

> > No. In case of a compromise, *reinstall* from *scratch*.

I think "In case of a compromise" is clear enough.

-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: developing on open source, apt
Next by Date: Re: Kernel module support for LSI 3008
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread