On Fri, 16 Sep 2005 09:50, Nick Rout wrote:
> I am embarrassed to say that my home system has been hacked into just
> last night, an hour or two before Steve's first message on this subject.
[snip]
> I ssh'd into my work machine and pulled chkrootkit off it (already
> compiled) and managed to make it work on the home machine. Strangely tar
> worked when installing the binary version via emerge. chkrootkit
> reported nothing untoward. I am not 100% sure how chkrootkit works, and
> whether it can be run for the "first" time on an already compromised
> network.

I hope you didn't ssh to your work box from the compromised box? If you did 
then I would recommend changing the password you used (if there was one) for 
that and having a good look at that box too, just to be sure.

> I am now worried that it is extremely likely that something has been
> compromised (besides my root password, which I will change). The machine
> is "taking stress leave and won't be in the internet today". But this
> weekend I have the choice of doing further tests, or doing a complete
> re-install (/home is on a separate partition). What do people recommend?

Reinstall. If you have the resources then I would clone the drive onto another 
disk, or use a fresh disk to install onto. You then have the compromised disk 
for further analysis later on.

Do a thorough check of that home partition too.

HTH

hads

-- 
If you want your spouse to listen and pay strict attention to every
word you say, talk in your sleep.

Reply via email to