From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OiXaG-0004jz-5N for garchives@archives.gentoo.org; Mon, 09 Aug 2010 19:00:28 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 77FB0E0EF1; Mon, 9 Aug 2010 18:59:51 +0000 (UTC) Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 5AB9FE0EF1 for ; Mon, 9 Aug 2010 18:59:51 +0000 (UTC) Received: by vws15 with SMTP id 15so7921382vws.40 for ; Mon, 09 Aug 2010 11:59:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:references:in-reply-to; bh=bA2fBeEMf/C1Cl9p/IoBmkL4eyUFHqm4Xm5UQXKMV8g=; b=QMmb9HflcvvnFXQW0UN0lpoF0tsYyxFeoCQT51Q8NmzSB/xleq+5hskCB3Jbt/fCVG SHf1japXAbfJuGUezuW3qQMaMEuPah8A5yzuXBXdI7fNsy7Bpt9tMfFgPAin5Nw/3fEB O2nbwYFlBiy808HrX/3ZfWe0+brA6qSK8E3ls= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:references:in-reply-to; b=tdZcnhY0A3Bf4vW3o3/KYW2dCJKX9CMoQrYeiT85sPtP6Gayw03TpwL6RDvInZAmuU hAvHkCiaAkOH5j9Y6XUUM5VljIBiwde6sc1fJlTY5uLgfOHSKFW49ACoZri/HjxCh6Pb D/NYM/HjF1t3xS9wFJe1ELkE9vbN71qlzsHWA= Received: by 10.220.76.74 with SMTP id b10mr9864766vck.78.1281380390988; Mon, 09 Aug 2010 11:59:50 -0700 (PDT) Received: from [127.0.0.1] ([77.91.200.27]) by mx.google.com with ESMTPS id v11sm2721147vbb.13.2010.08.09.11.59.47 (version=SSLv3 cipher=RC4-MD5); Mon, 09 Aug 2010 11:59:49 -0700 (PDT) Message-ID: <4C604FFF.3060309@gmail.com> Date: Mon, 09 Aug 2010 14:59:11 -0400 From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice References: In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: 80bfdcb7-20b3-4e89-b586-f1c938fea67c X-Archives-Hash: 6e25447ee05c08cc0c2d34ce48effb72 On 08/09/10 12:25, Paul Hartman wrote: [] > If anyone has advice on what I should look at forensically to > determine the cause of this, it is appreciated. I'll first dig into > the logs, bash history etc. and really hope that this very happened > recently. > > Thanks for any tips and wish me good luck. :) AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus signatures; you might scan your box with that. It has an on-access, realtime monitor option as well, which I use it to monitor anything downloaded and or compiled on my box (in case the distribution screen gets hacked). Presuming you're rooted, you might first try their stand-alone, linux live-disk scanner so as to avoid borked kernel and/or core utilities: