On Tue, 22 Apr 2014 00:13:58 +0200 "zGreenfelder" <zgreenfel...@gmail.com> wrote: >I have a machine that seems to have been compromised;
Finding changed or foreign files your package manager can't verify is quite bad but finding them in root-owned directories points to a potential* root compromise. *Note I have to say "potential" because I have not been given any details of the incident except what you told us. > Ive managed to capture a couple >files that seem to have been left behind for nefarious reasons >(they make many network connections out to various sites, they don't >seem to belong to any rpms (/lib/sshd & /bin/cpusd), Seen http://askubuntu.com/questions/440919/how-to-deal-with-malware- on-my-laptop ? >is it helpful/desirable at all to submit such malware'd files to be included as checks? Please do add them to our bug tracker and do submit them to ClamAV and Linux Malware Detect (LMD) as well. >I really want this machine and its functions back. I'm afraid that won't (shouldn't!) be the case: restoring a backup w/o first properly investigating the root compromise may expose the same loophole again. Unfortunately such investigations aren't a topic for this mailing list. (You can reach me at www.linuxquestions.org/questions/linux-security-4/ or www.centos.org/forums/ though, else pick any other people / place you trust.) In any case please take note of at least the CERT Steps for Recovering from a UNIX or NT System Compromise (https://www.cert.org/historical/tech_tips/win-UNIX- system_compromise.cfm) if you're not familiar with this kind of incident. Good luck, unSpawn --- ------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
