On Tue, Apr 22, 2014 at 01:11:45AM +0200, unsp...@hushmail.com wrote: > On Tue, 22 Apr 2014 00:13:58 +0200 "zGreenfelder" > <zgreenfel...@gmail.com> wrote: > > <snip> > > > Ive managed to capture a couple > >files that seem to have been left behind for nefarious reasons > >(they make many network connections out to various sites, they > don't > >seem to belong to any rpms (/lib/sshd & /bin/cpusd), > > Seen http://askubuntu.com/questions/440919/how-to-deal-with-malware- > on-my-laptop ? > > > >is it helpful/desirable at all to submit such malware'd files to > be included as checks? > > Please do add them to our bug tracker and do submit them to ClamAV > and Linux Malware Detect (LMD) as well. > > > >I really want this machine and its functions back. > > I'm afraid that won't (shouldn't!) be the case: restoring a backup > w/o first properly investigating the root compromise may expose the > same loophole again. Unfortunately such investigations aren't a > topic for this mailing list. (You can reach me at > www.linuxquestions.org/questions/linux-security-4/ or > www.centos.org/forums/ though, else pick any other people / place > you trust.) In any case please take note of at least the CERT Steps > for Recovering from a UNIX or NT System Compromise > (https://www.cert.org/historical/tech_tips/win-UNIX- > system_compromise.cfm) if you're not familiar with this kind of > incident. > Thanks for the useful information, unSpawn.
rkhunter is one useful tool to detect intrusions and malware on a system. Other intrusion detection systems should also be applied - e.g. samhain, tripwire as well as other rootkit checkers and virus scanners. But you should always start them off on a clean system. There's no point in installing and initialising any other intrusion detection software now. With any compromise - root or not - the safest thing to do is to re-install the operating system and security patches without connecting to the network. If you must to connect to a network to get the security patches then construct an iptables firewall that allows access in and out only from the sources you'll be using and localhost. Of course this implies you have physical access to the machine. If you're working remotely on it then you need to allow yourself in as well. After that get and setup your preferred rootkit hunters and intrusion detection software. Then you can start looking at activating other services you might need. Only restore known user data from backups. After that make sure you keep up to date with your scans for rootkits and instrusion detection and at leat all relevant security updates from your chosen OS. Kind regards Lesley ------------------------------------------------------------------------------ Start Your Social Network Today - Download eXo Platform Build your Enterprise Intranet with eXo Platform Software Java Based Open Source Intranet - Social, Extensible, Cloud Ready Get Started Now And Turn Your Intranet Into A Collaboration Platform http://p.sf.net/sfu/ExoPlatform _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users