| 1 |
Rumen Yotov wrote: |
| 2 |
|
| 3 |
> On Sat, 2006-03-25 at 18:03 +0000, Mick wrote: |
| 4 |
>> Hi All, |
| 5 |
>> |
| 6 |
>> I don't know what to make of the attached. I found it in my distfiles. |
| 7 |
>> I |
| 8 |
>> can't think how I could have saved anything like that in there myself. |
| 9 |
>> As far as I know portage would not save anything like that there (no |
| 10 |
>> package |
| 11 |
>> that I know of). What else could it be? |
| 12 |
>> |
| 13 |
>> Has this box been compromised? |
| 14 |
>> -- |
| 15 |
>> Regards, |
| 16 |
>> Mick |
| 17 |
> Hi, |
| 18 |
> Check the time of creation and if there're more files with nearly equal |
| 19 |
> time/date. Check against time/date of merged packages (genlop --help). |
| 20 |
> Scan with 'rkhunter & chkrootkit' preferably from a LiveCD. |
| 21 |
> PS: there's a very little probability for an existence of some typo in |
| 22 |
> some ebuild which could fetch this file from another URL. Or the worst |
| 23 |
> scenario - some Gentoo mirror might have being compromised. |
| 24 |
> No more ideas for the time being. Backup your data first. |
| 25 |
|
| 26 |
Thanks Rumen. Both ckrootkit and rkhunter come up clean. On the same day I |
| 27 |
had updated the following packages: |
| 28 |
=================================== |
| 29 |
# genlop -l --date 2005-05-25 --date 2005-05-26 |
| 30 |
* sys-apps/debianutils |
| 31 |
|
| 32 |
Wed May 25 19:12:29 2005 >>> sys-apps/debianutils-2.13.1-r1 |
| 33 |
Wed May 25 19:13:53 2005 >>> app-forensics/chkrootkit-0.45 |
| 34 |
Wed May 25 19:16:57 2005 >>> dev-util/strace-4.5.11 |
| 35 |
Wed May 25 19:29:53 2005 >>> www-client/mozilla-bin-1.7.8 |
| 36 |
Wed May 25 19:30:47 2005 >>> www-client/mozilla-firefox-bin-1.0.4 |
| 37 |
Wed May 25 19:31:35 2005 >>> www-client/opera-7.54-r3 |
| 38 |
=================================== |
| 39 |
|
| 40 |
However, the suspect file was (apparently) stored there slightly earlier: |
| 41 |
=================================== |
| 42 |
# ls -la /usr/portage/distfiles/index.html |
| 43 |
-rw-r--r-- 1 root portage 37070 May 25 |
| 44 |
2005 /usr/portage/distfiles/index.html |
| 45 |
=================================== |
| 46 |
|
| 47 |
The other thing I noticed is that I have a number of M$Windoze font |
| 48 |
executables all over portage; e.g. impact32.exe, georgi32.exe, etc. I |
| 49 |
cannot remember if I copied them over from my WinXP partition, but even if |
| 50 |
I did, why would I ever save these in /usr/portage/distfiles?!! Are these |
| 51 |
files used by Linux? |
| 52 |
|
| 53 |
I never use browsers as root and can't remember using wget for a plain html |
| 54 |
page (as opposed to a download). I don't want to get all paranoid |
| 55 |
unnecessarily, but I remember reading something about doing a double emerge |
| 56 |
--sync, using different rsync servers and then comparing file signatures |
| 57 |
before an emerge. Do I need to start looking into how to do this, or is |
| 58 |
there a simpler explanation for the state of my box? |
| 59 |
-- |
| 60 |
Regards, |
| 61 |
Mick |
| 62 |
|
| 63 |
-- |
| 64 |
gentoo-user@g.o mailing list |
Archives