Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny: > Hi guys, > > I am afraid my happiness was short lived. To test if the deletion of the > file (and the effects thereof) would be permanent I rebooted the system and > consequently found another file (same size, same random lettering) booted > up with everything else. :( ... The culprit is well hidden and regenerates > itself ...
Well… if something creates a file in /boot, it needs to be started somewhere. I still bet an examination along the ideas I suggested from a live distro may reveal where the file is created. Or it may not, at least not easily, if a changed binary creates the file, instead of some script. Its still not clear whether its really a malware or just some broken third party software you installed, but… if you didn´t install any broken third party software and it really is, read on. > I did "file -k", "grep -ir" and most of the other things you guys suggested, > but nothing showed up. I am now going through the "after-compromise" > chapter as one of you suggested. That doesn´t make sense to me. At least file -k on one of the files should show some output. > I will run "sleuthkit" and report if anything is found. However, I am afraid > a backup and re-installation is on the horizon for me ...... sigh ..... > > Can I make the "/etc/init.d" directory readable only with the contents > thereof still executable ... untill I can properly back-up and install > everything again? ... or maybe some other short term solution ... No. In case of a compromise, *reinstall* from *scratch*. Its that easy. Especially when you do not know, how the file is created on bootup. It could be basically anywhere. Really read: https://www.debian.org/doc/manuals/securing-debian-howto/ch-after-compromise.en.html :) I´d *switch* off the machine in the case of a compromise. This will also disconnect it from the network. Then I´d use a live distro to make a file-based copy to a safe place. With rsync I bet. Then I´d reinstall from scratch. And be extra careful with any data I copy back from the backup. -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1677582.HZp1z1gOUd@merkaba
