On Thu, 27 Jan 2011, elbbit wrote: > On 27/01/11 16:21, will trillich wrote: > > That's quite an assertion. How can I confirm it HAS been compromised, as > > opposed to thinking it's a possibility? > > There is no way to know for sure unless you dissect the code running the > machine. Depending on your paranoia quotient you will either reinstall > or not.
The kernel complained that something tried a segfault, with a known marker (i.e the segfault was NOT in error, it was on purpose). Then it told is it autoloaded support for pf-net-5: AppleTalk. What is weird is that someone would do that running an exploid named "exploit". Oh well. That's also in the segfault report. Bugs in the appletalk implementation gives you ring-0 shellcode access on the kernel that box is running by its uptime. This did not happen by accident. Unless a local administrator ran the exploit himself to check whether the system was vulnerable or not (it was), then it means someone got enough access to attack the system, i.e. it is compromised. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110127170846.gc18...@khazad-dum.debian.net
