Hi Mike. I will have to ask a few questions: Did you install firefox system-wide or just for your local user ?? check if anything is running as user warren ... and report it if you find one. chkrootkit will only find what it knows about. I will assume you upgraded from the mepis repository, did you try to contact the mepis team ... try if you did not. Cheers Szemir
Ps: ps faxu | grep warren lsof | grep warren also check for uid and gid for warren, if it is 0:0 then i will advise to disable the account immediately. cat /etc/passwd root:x:0:0:root:/root:/bin/bash note the ^^ zeros, warrwn should have the same to be dangerous cat /etc/shadow warren:$1$YopY.wg3$jc6GMu2LCGeiAOHns55ls/:12741:0:99999:7::: if warren looks similar to this than put a ! after the first : warren:!$1$YopY.wg3$jc6GMu2LCGeiAOHns55ls/:12741:0:99999:7::: like this if it looks like this warren:!!:12371:0:99999:7::: than it is less dangerous, but i would still just change the username, and ask questions later. warrenXX:!!:12371:0:99999:7::: like this Honestly, i dont think the firefox package was compromised, it is way too hard to do so. On February 27, 2005 12:07, Mike Fitton wrote: > Hey gang, > > I had a weird thing happen yesterday. I have been running Pro-Mepis for a > while now, and things have been working very smooth for me. Two day ago, I > updated firefox from 1.0 to 1.1 and seemed to be fine. I was doing a bit of > messing about in the directories, and noticed a new user added called > "warren" around the same time as the update was done. > > Well that freaked me out a bit to say the least. I grabbed chrootkit and > ran that to find no problems with the system. I did notice in the > properties for the user that root was the user and group. The only thing in > the new users home account was .firefox and nothing else (No hidden files) > > I have no idea who "warren" is but I did a google and noticed that name as > a ProMepis contributor/authour. It was a bit unnerving to say the least, as > I am behind a router and guard-dog firewall and I am pretty careful with > downloading proggies etc. > > Am I to assume that firefox has done this? Any thoughts? > > Thanks > Mike _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
