On Fri, Jul 27, 2007 at 09:42:49AM -0700, Andrew Sackville-West wrote: > On Fri, Jul 27, 2007 at 04:43:28PM +0200, Magnus Pedersen wrote: > > I have a new dir in /home/magnus, /home/magnus/cbt and I have not put it > > there. It contains cbt/lib/libcbtsysinfo_0.so and google draws a blank on > > that filename. Has my system been compromised (theres is nothing out of the > > ordinary anywhere else) or is there something I have missed? > > I run google with the "cbtsysinfo" and came up with this: > > http://spywarefiles.prevx.com/RRHGED043236257/CBTSYSINFO-0.DLL.html > > which while its obviously for windows, show the same storage path > ($HOME/cbt/lib/). It looks to be a very new thing, so if it is some > sort of malware and is so new (July 12) then perhaps it does exist for > multiple platforms and just hasn't been reported yet...
If you haven't installed or upgraded any packages recently, and apt-file search libcbt doesn't give any output (which it doesn't), then its safe to assume that something other than a debian package or yourself put it there. Since there is a chance that the system has been compromised, pull the plug. That may sound drastic but its possible for malware to sense a shutdown in progress and do something nasty. Ditto if you pull the network cable. Pull the plug then access that drive from either a live-cd or installing the drive in a known-safe system. Mount the drive read only, noexec, nosuid etc. Look at /etc/passwd: is there a username magnus? Then decide if you want to try to figure out what happend or if you want to wipe the disk and reinstall. The bottom line is that on a suspected system, you can't rely on any executable or even any log files. Good luck, Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
