On Monday 09 August 2010 19:59:11 7v5w7go9ub0o wrote: > On 08/09/10 12:25, Paul Hartman wrote: > [] > > > If anyone has advice on what I should look at forensically to > > determine the cause of this, it is appreciated. I'll first dig into > > the logs, bash history etc. and really hope that this very happened > > recently. > > > > Thanks for any tips and wish me good luck. :) > > AntiVir (Avira) anti-malware scanner has hundreds of Linux rootkit/virus > signatures; you might scan your box with that. It has an on-access, > realtime monitor option as well, which I use it to monitor anything > downloaded and or compiled on my box (in case the distribution screen > gets hacked). > > <http://www.free-av.com/en/download/download_servers.php> > > Presuming you're rooted, you might first try their stand-alone, linux > live-disk scanner so as to avoid borked kernel and/or core utilities: > > <http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html>
Another idea to help with your forensics would be to bring a netstat and lsof binary over to your machine and run them to see which actors are running and trying to get out. That could help you detect what is running on that machine and google your way from there. You could also run rkhunter. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
