On Thu, Jan 26, 2012 at 08:37, Lynda <shr...@deaddrop.org> wrote: > On 1/26/2012 2:29 AM, Dan Foster wrote: > >> Hot Diggety! Tom Perrine was rumored to have written: >> >>> On Tue, Jan 24, 2012 at 12:08 PM, Dan Schlitt<d...@2600c.com> wrote: >> >> Thanks for all the suggestions. Reinstalling didn't seem to change >>>> anything, To take care of the file I just pointed it to /devnull. >>>> >>> > If you haven't done the full system re-install, you really need to go >> >> that route. >>> >> > Tom speaks the absolute truth. From what you've described so >> far, you've been compromised badly. >> > > I can't believe this discussion is still going on. Let me add yet another > voice here. It's pre-caffeinated, so I'm trying to be on my good behavior. >
It may be pre-caffeinated, but it's dead on target. That machine is not trustworthy, period. To the OP: Duplicate the hard drives if you want to perform forensics, then nuke and pave. Ideally, restore only from trusted media, not from anything that was actually on the compromised system. DO NOT TRUST ANYTHING ON THE COMPROMISED SYSTEM. BTW, there is no aes1.h; it's fairly obviously hoping someone will miss the difference between aes.h and asn1.h. I've seen this kind of thing (including using a supposed include file, which is a slight modification of multiple standard file names chosen for maximum eyeglaze factor) on a bunch of compromised systems (lots of that in the undergrad labs...); someone gets an irony point for hiding it in the openssl hierarchy. :) -- brandon s allbery allber...@gmail.com wandering unix systems administrator (available) (412) 475-9364 vm/sms
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
