Rumen Yotov wrote:
> On Sat, 2006-03-25 at 18:03 +0000, Mick wrote:
>> Hi All,
>>
>> I don't know what to make of the attached. I found it in my distfiles.
>> I
>> can't think how I could have saved anything like that in there myself.
>> As far as I know portage would not save anything like that there (no
>> package
>> that I know of). What else could it be?
>>
>> Has this box been compromised?
>> --
>> Regards,
>> Mick
> Hi,
> Check the time of creation and if there're more files with nearly equal
> time/date. Check against time/date of merged packages (genlop --help).
> Scan with 'rkhunter & chkrootkit' preferably from a LiveCD.
> PS: there's a very little probability for an existence of some typo in
> some ebuild which could fetch this file from another URL. Or the worst
> scenario - some Gentoo mirror might have being compromised.
> No more ideas for the time being. Backup your data first.
Thanks Rumen. Both ckrootkit and rkhunter come up clean. On the same day I
had updated the following packages:
===================================
# genlop -l --date 2005-05-25 --date 2005-05-26
* sys-apps/debianutils
Wed May 25 19:12:29 2005 >>> sys-apps/debianutils-2.13.1-r1
Wed May 25 19:13:53 2005 >>> app-forensics/chkrootkit-0.45
Wed May 25 19:16:57 2005 >>> dev-util/strace-4.5.11
Wed May 25 19:29:53 2005 >>> www-client/mozilla-bin-1.7.8
Wed May 25 19:30:47 2005 >>> www-client/mozilla-firefox-bin-1.0.4
Wed May 25 19:31:35 2005 >>> www-client/opera-7.54-r3
===================================
However, the suspect file was (apparently) stored there slightly earlier:
===================================
# ls -la /usr/portage/distfiles/index.html
-rw-r--r-- 1 root portage 37070 May 25
2005 /usr/portage/distfiles/index.html
===================================
The other thing I noticed is that I have a number of M$Windoze font
executables all over portage; e.g. impact32.exe, georgi32.exe, etc. I
cannot remember if I copied them over from my WinXP partition, but even if
I did, why would I ever save these in /usr/portage/distfiles?!! Are these
files used by Linux?
I never use browsers as root and can't remember using wget for a plain html
page (as opposed to a download). I don't want to get all paranoid
unnecessarily, but I remember reading something about doing a double emerge
--sync, using different rsync servers and then comparing file signatures
before an emerge. Do I need to start looking into how to do this, or is
there a simpler explanation for the state of my box?
--
Regards,
Mick
--
[email protected] mailing list
