Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice
Date: Mon, 09 Aug 2010 19:47:42
Message-Id: 201008092046.57085.michaelkintzios@gmail.com
In Reply to: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice by 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>
1 On Monday 09 August 2010 19:59:11 7v5w7go9ub0o wrote:
2 > On 08/09/10 12:25, Paul Hartman wrote:
3 > []
4 >
5 > > If anyone has advice on what I should look at forensically to
6 > > determine the cause of this, it is appreciated. I'll first dig into
7 > > the logs, bash history etc. and really hope that this very happened
8 > > recently.
9 > >
10 > > Thanks for any tips and wish me good luck. :)
11 >
12 > AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus
13 > signatures; you might scan your box with that. It has an on-access,
14 > realtime monitor option as well, which I use it to monitor anything
15 > downloaded and or compiled on my box (in case the distribution screen
16 > gets hacked).
17 >
18 > <http://www.free-av.com/en/download/download_servers.php>
19 >
20 > Presuming you're rooted, you might first try their stand-alone, linux
21 > live-disk scanner so as to avoid borked kernel and/or core utilities:
22 >
23 > <http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html>
24
25 Another idea to help with your forensics would be to bring a netstat and lsof
26 binary over to your machine and run them to see which actors are running and
27 trying to get out. That could help you detect what is running on that machine
28 and google your way from there.
29
30 You could also run rkhunter.
31 --
32 Regards,
33 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice Kyle Bader <kyle.bader@×××××.com>