Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Brian <ad44@cityscape.co.uk>
Date: Tue, 6 Jan 2015 19:49:38 +0000
Message-id: <[🔎] 06012015194824.c6a89cfc6af3@desktop.copernicus.demon.co.uk>
In-reply-to: <[🔎] 5777066.KTOvfcT0Ng@merkaba>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 1677582.HZp1z1gOUd@merkaba> <[🔎] 20150106192020.GD3403@copernicus.demon.co.uk> <[🔎] 5777066.KTOvfcT0Ng@merkaba>

On Tue 06 Jan 2015 at 20:28:04 +0100, Martin Steigerwald wrote:

> Am Dienstag, 6. Januar 2015, 19:20:20 schrieb Brian:
> > On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote:
> > > Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny:
> > > > Hi guys,
> > > > 
> > > > I am afraid my happiness was short lived. To test if the deletion of the
> > > > file (and the effects thereof) would be permanent I rebooted the system
> > > > and
> > > > consequently found another file (same size, same random lettering)
> > > > booted
> > > > up with everything else. :( ... The culprit is well hidden and
> > > > regenerates
> > > > itself ...
> > > 
> > > Well… if something creates a file in /boot, it needs to be started
> > > somewhere. I still bet an examination along the ideas I suggested from a
> > > live distro may reveal where the file is created. Or it may not, at least
> > > not easily, if a changed binary creates the file, instead of some script.
> > > Its still not clear whether its really a malware or just some broken
> > > third party software you installed, but… if you didn´t install any broken
> > > third party software and it really is, read on.
> > 
> > Are we now to assume these files are only created on boot? The OP could
> > at least look into this and let us know whether this is so. It looks to
> > me there is some configuration which creates them. The configuration is
> > far more likely to have been produced by him than some invader.
> > 
> > > > I did "file -k", "grep -ir" and most of the other things you guys
> > > > suggested, but nothing showed up. I am now going through the
> > > > "after-compromise" chapter as one of you suggested.
> > > 
> > > That doesn´t make sense to me. At least file -k on one of the files should
> > > show some output.
> > 
> > Doesn't make sense to me either. The file command produces something.
> > Your mentioning of it was really a suggestion for the OP to provide
> > its output. The invitation wasn't taken up.
> > 
> > > > I will run "sleuthkit" and report if anything is found. However, I am
> > > > afraid a backup and re-installation is on the horizon for me ......
> > > > sigh .....
> > > > 
> > > > Can I make the "/etc/init.d" directory readable only with the contents
> > > > thereof still executable ... untill I can properly back-up and install
> > > > everything again? ... or maybe some other short term solution ...
> > > 
> > > No. In case of a compromise, *reinstall* from *scratch*.
> > > 
> > > Its that easy.
> > 
> > Or....
> > 
> > If the machine is not compromised - fix it.
> > 
> > It's that easy.
> 
> Sure, thats why I wrote:
> 
> > > No. In case of a compromise, *reinstall* from *scratch*.
> 
> I think "In case of a compromise" is clear enough.

"If the machine is not compromised" is also clear enough.

Reply to:

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>

Prev by Date: Re: developing on open source, apt
Next by Date: Re: Have I been hacked?
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread