Gary wrote: > Gary responds: > My conclusion wasn't just because the "nx" account respawned, it was > the other half-dozen or so accounts that appeared out of nowhere -- > and hadn't been in the list a mere 15 minutes or so earlier! I didn't > keep a list of them, but some at least seemed to have an advertising > flavor to them. And spam-sending bot software doesn't need to be a > "person" to do its dirty work, it could be a "machine" account. >
Without knowing more about the processes that NoMachine NX runs, I cannot say what might happen if part of its installation is summarily deleted, while the application is running. You might have deleted libraries and subroutines when you deleted the directory and its subdirs. Chances are, that the binaries for the app were in /usr/local/bin, and when you deleted what you did, the running processes had a major meltdown. > I also reacted to the fact that "/home" was in the chain somewhere, > why do programs need a /home? I thought that putting it under > "/usr/local" was a tactic to conceal it from casual browsing of one's > own /home structure. > If you Google '/usr/local/home/', you will see why I drew the conclusion I did, that it was probably some sort of directory with user subdirs, for building from source or something... it got a bunch of hits. I just run Linux on one Desktop, and do most compiling from source on my OpenBSD machines, which have a /usr/ports/ tree, that performs a similar function in BSD. > Well, in any case, better safe than sorry. If I've alarmed anyone > else unduly, I apologize. > I'm not alarmed.<g> Most rootkits are pretty clever, and can obfuscate their presence much more effectively than what you describe. They do this by replacing, for example, commands like 'ls' and 'ps' with new versions, that will only show you what they want you to see, so that the kit could have its home directory right in /, and named 'rootkit' but when you ran # ls -al / ...it simply would not show up in the list... at all, and same for any processes, rootkit was using, when you ran 'ps'. >> The place to check and see who and what kind of users you have on your >> system is the /etc/passwd file: >> >> http://en.wikipedia.org/wiki//etc/passwd > > Gary continues: > Thank you, that's useful to know. > If I thought one of my machines had been rooted, first thing I would would do, would be to take it out of the loop, by unplugging its ethernet cables. Then I would start comparing comparing critical files... ones known to be replaced by rootkits... to see how they compared heuristically ...file size is the most readily obvious determinant... with known characteristics of known good files, that install with the system. http://www.securityfocus.com/infocus/1854 > Gary said: >>> (Installing Fedora 8,) I've lost the GRUB entry to boot >>> into Windows! I don't know how to manually re-enter the lines. >>> > Robert said: >> Check: >> http://www.linuxforums.org/forum/ubuntu-help/68350-add-windows-grub.html >> > Gary responds: > Thank you but not needed. The grub entry WAS there, when I went to > edit the grub conf file, I realized the countdown was so short I > missed seeing it happen (and it was oh-dark hundred in the morning, I > wasn't at my best), so I can in fact dual-boot normally! > > Given what you say about nx being part of Sabayon, though, I'll > probably go back to it, now that my adrenaline has subsided. I like > what Sabayon includes better than F-8, even if Sabayon's 12GB > footprint is remarkably large for a Linux. > Where Linux is concerned, I have been running Red Hat since around 1999, and still have 3 years to go on my RH Enterprise installation. I started running OpenBSD on my servers when I got a high speed connection with 5 static IP's, and now have one OpenBSD Desktop installation running, which has become my preferred email/browsing Internet interface. If I can get a few more things to work on OBSD, like printing, and the flashplayers in the browsers, and my scanners... I might eventually ease my way out of Linux, the same gradual way I began easing my way out of Windows, back in 1999. I *do* still have two Windows installations, though, a Win 2k workstation, and an ancient DOS 6 with Windows 3.11... which I play with whenever I am in a nostalgic mood.<g> -- -wittig http://www.robertwittig.com/ http://robertwittig.net/ http://robertwittig.org/ . To unsubscribe from this list, please email [EMAIL PROTECTED] & you will be removed. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/LINUX_Newbies/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/LINUX_Newbies/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
