On 14-08-15 10:01 AM, Scott Bonds wrote:
I'm running OpenBSD 5.5-stable on my laptop as well. My laptop isn't
running any public services AFAIK...I've configured the ones I'm running
on it (like unbound) to only respond to local requests. Then again, I
haven't tested those ports from another machine to verify that I locked
them down the way I think I have, and now that I think about it, that
would be a good idea--I'll add that to my todo list.
If my laptop config IS properly locked down, it would need to be trojan
horse or some kind of Firefox or email based vector, I suppose. Let's
see... well, my laptop rc.local doesn't have any mystery files, at least.
While a long way from perfect, tools such as "chkrootkit" and "rkhunter"
might shed some light on your situation.
As Giancarlo said, check every machine that's closely interconnected,
not just the one compromised server you've noticed.
I haven't used them under OpenBSD, so not sure how effective they'll be
(both projects claim to support OpenBSD), but they're probably more
appropriate than clamscan(1) which looks for mostly MS Windows-based
viruses, not rootkits.
--
-Adam Thompson
athom...@athompso.net
