1 |
On Monday 09 August 2010 19:59:11 7v5w7go9ub0o wrote: |
2 |
> On 08/09/10 12:25, Paul Hartman wrote: |
3 |
> [] |
4 |
> |
5 |
> > If anyone has advice on what I should look at forensically to |
6 |
> > determine the cause of this, it is appreciated. I'll first dig into |
7 |
> > the logs, bash history etc. and really hope that this very happened |
8 |
> > recently. |
9 |
> > |
10 |
> > Thanks for any tips and wish me good luck. :) |
11 |
> |
12 |
> AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus |
13 |
> signatures; you might scan your box with that. It has an on-access, |
14 |
> realtime monitor option as well, which I use it to monitor anything |
15 |
> downloaded and or compiled on my box (in case the distribution screen |
16 |
> gets hacked). |
17 |
> |
18 |
> <http://www.free-av.com/en/download/download_servers.php> |
19 |
> |
20 |
> Presuming you're rooted, you might first try their stand-alone, linux |
21 |
> live-disk scanner so as to avoid borked kernel and/or core utilities: |
22 |
> |
23 |
> <http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html> |
24 |
|
25 |
Another idea to help with your forensics would be to bring a netstat and lsof |
26 |
binary over to your machine and run them to see which actors are running and |
27 |
trying to get out. That could help you detect what is running on that machine |
28 |
and google your way from there. |
29 |
|
30 |
You could also run rkhunter. |
31 |
-- |
32 |
Regards, |
33 |
Mick |