Am Dienstag, 6. Januar 2015, 19:20:20 schrieb Brian: > On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote: > > Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny: > > > Hi guys, > > > > > > I am afraid my happiness was short lived. To test if the deletion of the > > > file (and the effects thereof) would be permanent I rebooted the system > > > and > > > consequently found another file (same size, same random lettering) > > > booted > > > up with everything else. :( ... The culprit is well hidden and > > > regenerates > > > itself ... > > > > Well… if something creates a file in /boot, it needs to be started > > somewhere. I still bet an examination along the ideas I suggested from a > > live distro may reveal where the file is created. Or it may not, at least > > not easily, if a changed binary creates the file, instead of some script. > > Its still not clear whether its really a malware or just some broken > > third party software you installed, but… if you didn´t install any broken > > third party software and it really is, read on. > > Are we now to assume these files are only created on boot? The OP could > at least look into this and let us know whether this is so. It looks to > me there is some configuration which creates them. The configuration is > far more likely to have been produced by him than some invader. > > > > I did "file -k", "grep -ir" and most of the other things you guys > > > suggested, but nothing showed up. I am now going through the > > > "after-compromise" chapter as one of you suggested. > > > > That doesn´t make sense to me. At least file -k on one of the files should > > show some output. > > Doesn't make sense to me either. The file command produces something. > Your mentioning of it was really a suggestion for the OP to provide > its output. The invitation wasn't taken up. > > > > I will run "sleuthkit" and report if anything is found. However, I am > > > afraid a backup and re-installation is on the horizon for me ...... > > > sigh ..... > > > > > > Can I make the "/etc/init.d" directory readable only with the contents > > > thereof still executable ... untill I can properly back-up and install > > > everything again? ... or maybe some other short term solution ... > > > > No. In case of a compromise, *reinstall* from *scratch*. > > > > Its that easy. > > Or.... > > If the machine is not compromised - fix it. > > It's that easy.
Sure, thats why I wrote: > > No. In case of a compromise, *reinstall* from *scratch*. I think "In case of a compromise" is clear enough. -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5777066.KTOvfcT0Ng@merkaba
