From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-113415-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OiXi6-0005SZ-5d
	for garchives@archives.gentoo.org; Mon, 09 Aug 2010 19:08:34 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6CD26E0E0B;
	Mon,  9 Aug 2010 19:08:04 +0000 (UTC)
Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id 3325BE0E0B
	for <gentoo-user@lists.gentoo.org>; Mon,  9 Aug 2010 19:08:04 +0000 (UTC)
Received: by wyf28 with SMTP id 28so6007862wyf.40
        for <gentoo-user@lists.gentoo.org>; Mon, 09 Aug 2010 12:08:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:sender:received
         :in-reply-to:references:date:x-google-sender-auth:message-id:subject
         :from:to:content-type;
        bh=+3LUodPu9Y24vMf//vSa2Q4bmFteSBhH1lttaBSjs+Q=;
        b=aKo8rTaFRUgpbL4NKi2XuXZ6KTtnFuFltEmCkBlHrMbvln+CDcs6eVnoOg4HDpEfAj
         v7rixHn9srR3T4aQxjeojhK9KhL4/V2W0Vwa7MxDpOziBTQXHdSwKAty7AGH9GizewyC
         uMhiYUsUGTgzRDXSW7eUK00rw139m9fGWgBJU=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type;
        b=ffb0x0irHAcTwYWsmaeEdMTonA/icYF0RIvkACCc9LBM9n+VjOaMPRc34zWfnqBfMl
         GG39dcCJgbxC9E7xqMRq9wHmrA/Vh+t3agUVQ/2bcwYkxHt5JAWNogPXhrjPFOFeQAGN
         28iqKQHjsY1CH/Ctqv8xV+eJ3e7pCp5wWEeSY=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.227.134.144 with SMTP id j16mr13999815wbt.50.1281380883535; 
	Mon, 09 Aug 2010 12:08:03 -0700 (PDT)
Sender: paul.hartman@gmail.com
Received: by 10.227.83.213 with HTTP; Mon, 9 Aug 2010 12:08:03 -0700 (PDT)
In-Reply-To: <4C604FFF.3060309@gmail.com>
References: <AANLkTikcKYS+pTQOesC_rmqVwjwN80PKqrTuv3TPAq_h@mail.gmail.com>
	<4C604FFF.3060309@gmail.com>
Date: Mon, 9 Aug 2010 14:08:03 -0500
X-Google-Sender-Auth: v66oZ52XJUKM3OtjoERsbezwbWI
Message-ID: <AANLkTimAhFYcq9cN_j81xVHHFD_tvC4pDwZV-fvxKgui@mail.gmail.com>
Subject: Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice
From: Paul Hartman <paul.hartman+gentoo@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
X-Archives-Salt: 198b5aea-5541-4121-8938-06d9be45fc0e
X-Archives-Hash: d6df4341eb1aeeb1799fb6bc6fecf9f0

On Mon, Aug 9, 2010 at 1:59 PM, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> On 08/09/10 12:25, Paul Hartman wrote:
> []
>> If anyone has advice on what I should look at forensically to
>> determine the cause of this, it is appreciated. I'll first dig into
>> the logs, bash history etc. and really hope that this very happened
>> recently.
>>
>> Thanks for any tips and wish me good luck. :)
>
> AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus
> signatures; you might scan your box with that. It has an on-access,
> realtime monitor option as well, which I use it to monitor anything
> downloaded and or compiled on my box (in case the distribution screen
> gets hacked).
>
> <http://www.free-av.com/en/download/download_servers.php>
>
> Presuming you're rooted, you might first try their stand-alone, linux
> live-disk scanner so as to avoid borked kernel and/or core utilities:
>
> <http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html>

Was not aware of that one, I'll give it a try. Thanks.