From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OiYJx-00089l-2T for garchives@archives.gentoo.org; Mon, 09 Aug 2010 19:47:42 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C92E5E0F97; Mon, 9 Aug 2010 19:47:00 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 861F5E0F97 for ; Mon, 9 Aug 2010 19:47:00 +0000 (UTC) Received: by wwi17 with SMTP id 17so16951wwi.10 for ; Mon, 09 Aug 2010 12:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=rtxQ+VjjSgBbbpxprwjWIqzbQS7zV4wagfDSArxefzU=; b=AU8sv0M85p1SmXjlPNG/R1/QTaD7ypNJkrCvH0vKLraFnbfZnZNXtcatWpXr3C/6GE S/+1HgGg4BV8ToxRo6BhL/aIuL3ERCpBcxZPjh8xl/KHh7Z2eh7tXQFBvJxMnpCi++aK shWroYu6AbtUqS9jsAocFZE7McleQLuU4TJy0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=GMbAuY6pgoSDmI2oW2hzynqIZZ0ezUzl8JKcxcYxxa3EGkWr6f7Jx8zjb+uK2axjUL y4trkzlhe5Leg1BR9S91x1RDrS+8VKPXKQ1qMuPmzYMngpirWWmYhVABweE5Myk2SPzO iUQvawvBkMpmVqQ5xztLZDhbZ/pw1HH9ETgUA= Received: by 10.216.145.199 with SMTP id p49mr3038081wej.18.1281383219807; Mon, 09 Aug 2010 12:46:59 -0700 (PDT) Received: from (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id w29sm2833123weq.42.2010.08.09.12.46.58 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 12:46:58 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice Date: Mon, 9 Aug 2010 20:46:55 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.34-gentoo-r1; KDE/4.4.5; x86_64; ; ) References: <4C604FFF.3060309@gmail.com> In-Reply-To: <4C604FFF.3060309@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart13637451.F7cIb8T00i"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201008092046.57085.michaelkintzios@gmail.com> X-Archives-Salt: f9c09d7c-39ad-4495-be23-edf47f3da542 X-Archives-Hash: cd3db0346ad205c359f7902a3fd11a78 --nextPart13637451.F7cIb8T00i Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable On Monday 09 August 2010 19:59:11 7v5w7go9ub0o wrote: > On 08/09/10 12:25, Paul Hartman wrote: > [] >=20 > > If anyone has advice on what I should look at forensically to > > determine the cause of this, it is appreciated. I'll first dig into > > the logs, bash history etc. and really hope that this very happened > > recently. > >=20 > > Thanks for any tips and wish me good luck. :) >=20 > AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus > signatures; you might scan your box with that. It has an on-access, > realtime monitor option as well, which I use it to monitor anything > downloaded and or compiled on my box (in case the distribution screen > gets hacked). >=20 > >=20 > Presuming you're rooted, you might first try their stand-alone, linux > live-disk scanner so as to avoid borked kernel and/or core utilities: >=20 > Another idea to help with your forensics would be to bring a netstat and ls= of=20 binary over to your machine and run them to see which actors are running an= d=20 trying to get out. That could help you detect what is running on that mach= ine=20 and google your way from there. You could also run rkhunter. =2D-=20 Regards, Mick --nextPart13637451.F7cIb8T00i Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) iEYEABECAAYFAkxgWzEACgkQVTDTR3kpaLa5VgCgm4GnStlcppLreoP56dWT9lOl FKIAnAtL6sGY/AsUMRZOmCHzCFhtRMVv =bYsD -----END PGP SIGNATURE----- --nextPart13637451.F7cIb8T00i--