Hi.
On Mon, 24 Feb 2014 16:24:19 +0100 ha <hiei.arh...@gmail.com> wrote: > Hi! > > > Try to find that file. ( run something like "find / -name vmtoolsd" ) > > > > I did. It only shows that files are there: > /etc/pam.d/vmtoolsd > /usr/bin/vmtoolsd <…> > echo $PATH > does not shows my home directory > > I did not installed anything from source. To answer your question - yes, you're right being paranoid. In Debian, software doesn't install by itself, installing a software requires human intervention. You didn't do it = someone else did it. Whenever virtualization can be used to gain a backdoor is irrelevant here, what's relevant is that someone has a root privileges on your host already. Now, whenever these privileges were carelessly used to install vmtoolsd Slackware-style (i.e. not using apt or deb), or these privileges were used to do something more (say, replacing sshd with its' keylogged version) - that's really interesting. I suggest you to: 1) Reboot the system using the good-known LiveCD. That's really important as you cannot trust the integrity of the OS on this host. 2) Mount host's / filesystem and /var filesystem somewhere ('/mnt' will do). 3) Run debsums -ac -r /mnt 4) If, and only if debsums won't report anything unusual - purge vmtoolsd, cleanup anything in /usr/local, change root password, remove any ssh public keys from /root/.ssh/authorized_keys, reboot to normal. 5) If debsums show any file replacements (especially /usr/sbin/sshd, /bin/bash, etc) - reinstall the OS from the scratch. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140224193636.644bbfe2c7ae59b2aa558...@gmail.com