Re: Have I been hacked?
Brian <ad44@cityscape.co.uk> writes:
> On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote:
>
>> Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny:
>> > Hi guys,
>> >
>> > I am afraid my happiness was short lived. To test if the deletion of the
>> > file (and the effects thereof) would be permanent I rebooted the system and
>> > consequently found another file (same size, same random lettering) booted
>> > up with everything else. :( ... The culprit is well hidden and regenerates
>> > itself ...
>>
>> Well… if something creates a file in /boot, it needs to be started somewhere. I
>> still bet an examination along the ideas I suggested from a live distro may
>> reveal where the file is created. Or it may not, at least not easily, if a
>> changed binary creates the file, instead of some script. Its still not clear
>> whether its really a malware or just some broken third party software you
>> installed, but… if you didn´t install any broken third party software and it
>> really is, read on.
>
> Are we now to assume these files are only created on boot? The OP could
> at least look into this and let us know whether this is so. It looks to
> me there is some configuration which creates them. The configuration is
> far more likely to have been produced by him than some invader.
>
I've seen malware that downloaded a BitCoin miner and installed it, and
reinstalled itself if removed.
That one was rather dumb and had installed the check for installation
and download script in a cronjob, so it was easy to remove, but if it is
at any rate possible, reinstalling is the best bet.
Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.
Reply to: