On Tue, 12 Mar 2013 01:23:09 +0100 sp113438 <sp113...@telfort.nl> wrote:
> On Tue, 12 Mar 2013 00:19:27 +0100 > Sergey Spiridonov <s...@hurd.homeunix.org> wrote: > > > Hi Debian > > > > Just detected several modified binaries on one of my Debian Squeeze > > 32 bit, > > like /usr/bin/passwd, /bin/dash, /sbin/hdparm, /usr/bin/skype etc. > > Modified files are bigger in size, but debsums does not complain > > about them. I tried clamscan and avast on this binaries on another > > host, they did not find anything. I also tried chkrootkit and > > rkhunter (but I did not get possibility to boot from safe media > > yet). > > > > You can find some good and binaries here [1]. This virus/rootkit > > seems to be clever enough to deceive debsums, so it is > > Debian-related. > > > > 1. http://hurd.homeunix.org/~sena/bad-skype/ > > > > If I reinstall binaries, they become normal size, but become > > changed again after reboot. > > > > Any ideas? What else needs to be done? Currently I am going to > > reinstall Debian box. > > No solution, but how did you find out about the changed size? > > After running on my amd64 squeeze: # rkhunter --update rkhunter -c rkhunter showed one warning: Warning: Checking for possible rootkit strings [ Warning ] [01:25:23] Found string 'hdparm' in file '/etc/init.d/.depend.boot'. Possible rootkit: Xzibit Rootkit [01:25:23] Found string 'hdparm' in file '/etc/init.d/hdparm'. Possible rootkit: Xzibit Rootkit > I did not get possibility to boot from safe media yet You can go to rescue mode with your installation medium (via expert mode) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130312014220.4831f619@fx4100
