I believe it's better for rkhunter to be initialised on a fresh install,
but I think it also checks for the existence of files known to be part of a
rootkit. Admittedly of minor value.
The thing *not* to do with an infected system is initialise the rkhunter db.
Lesley
Yes but this is only the cas
On Jan 22, 2014, at 10:51 AM, Kevin Olbrich wrote:
>
> Okay but this missmatch does not automatically mean it is not working.
> Can you check if the features are present? Maybe the patch is still
> compatible with a newer kernel?
>
Hi Kevin,
I installed the i386 architecture and installed th
Yes but this is only the case when rkhunter was active before.
AFAIK rkhunter itself has no signatures, it generates the initial checksumms on
first start.
Mit freundlichen Grüßen / best regards,
Kevin Olbrich.
Web: http://kevin-olbrich.de/
--
Diese E-Mail enthält vertrauliche und/oder rechtlich
At Wed, 22 Jan 2014 19:47:27 +0700,
Andika Triwidada wrote:
>
> On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote:
> > the same...no output
>
> could be hidden by rootkit :(
I think so too.
Could you try to use debsum and rkhunter? It would find cracked
commands.
--
To UNSUBSCRIBE, em
* Marco Saller:
> i am not sure if this question has been asked or answered yet,
> please do not mind if i would ask it again.
> Is it possible that the NSA or other services included investigative
> software in some Debian packages?
We don't reject contributions just because they come from a go
On Jan 22, 2014 9:11 AM, Nico Angenon wrote:
>
> Here is the ps aufx result... (a bit long)
(Please excuse any wonky formatting or glaring oversights, I'm on a mobile
device.)
You appear to be running an nfs server on this host. Try stopping the
nfs-kernel-server service and see if anythin
Marko Randjelovic:
> Octavio Alvarez wrote:
>> I wouldn't worry about SELinux specifically.
>
> As I already pointed out, there is something:
> http://lists.debian.org/20140120005556.612de...@eunet.rs
And Russel Coker carefully explained in his reply to your mail why that
approach does not help
>
> On Jan 22, 2014, at 9:59 AM, Kevin Olbrich wrote:
>
>> Wouldn't this mean there is an error message? The patch could work with a
>> newer kernel in general (?).
>>
>> I did not try it but are there so many changes between both releases?
>
> Hi Kevin,
>
> I just tried this an Debian wit
On Jan 22, 2014, at 9:59 AM, Kevin Olbrich wrote:
> Wouldn't this mean there is an error message? The patch could work with a
> newer kernel in general (?).
>
> I did not try it but are there so many changes between both releases?
Hi Kevin,
I just tried this an Debian with kernel 3.2.51 in a
Perhaps in your haste, you missed something.
If I run netstat -anpe as a user I get this specific message and the PID
column is populated with only a "-" for all entries, just like you
showed.
I.E.
netstat -anpe |grep udp
(Not all processes could be identified, non-owned process info
will not b
Wouldn't this mean there is an error message? The patch could work with a newer
kernel in general (?).
I did not try it but are there so many changes between both releases?
Mit freundlichen Grüßen / best regards,
Kevin Olbrich.
(mobil vom iPhone)
--
Diese E-Mail enthält vertrauliche und/oder r
On Jan 22, 2014, at 6:01 AM, Marko Randjelovic wrote:
>> It appears that this patch is available in the apt repos under the
>> "kernel" section (sensibly enough) as:
>>
>> linux-patch-grsecurity2
>>
>> Once it's downloaded, it patches the kernel in an automated fashion and
>> doesn't for
"
X-Mailer: iPhone Mail (11D5134c)
> Am 22.01.2014 um 15:13 schrieb Marko Randjelovic :
>
> On Wed, 22 Jan 2014 15:08:39 +0100
> "Milan P. Stanic" wrote:
>
>> I found it a lot easier to go with vanilla kernel and grsec/pax patch
>> instead of using Debian kernels.
>
> Of course, but then se
Here is the ps aufx result... (a bit long)
Nico
USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND
root 2 0.0 0.0 0 0 ?S 2013 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ?S 2013 0:07 \_
[migration/0]
root
On Wed, 22 Jan 2014 15:08:39 +0100
"Milan P. Stanic" wrote:
> I found it a lot easier to go with vanilla kernel and grsec/pax patch
> instead of using Debian kernels.
Of course, but then secret services won't see you are using Debian :)
--
Education is a process of making people see what is ad
On Mon, 20 Jan 2014 09:22:04 -0800
Octavio Alvarez wrote:
> On 01/20/2014 05:29 AM, Marco Saller wrote:
> > I have read that the NSA proposed to include SELinux in linux 2.5. (Linux
> > Kernel Summit 2001)
> > Don't you think that may be one of their fancy tricks to gain access to
> > computers
On Wed, 2014-01-22 at 15:01, Marko Randjelovic wrote:
> On Sun, 19 Jan 2014 21:17:03 -0800
> Andrew Merenbach wrote:
> > I just decided to try this out the other day on my Wheezy 7.3 install.
> > It wasn't that painful and I haven't noticed any performance impact or
> > misbehaving (read: broke
if you think you are been hacked, you can use ps, lsof and others commands
from other not hacked server, for example scp goodserver:/bin/ps /tmp/ps
and use /tmp/ps, this isn't secure, because maybe the attacker installed
one rootkit
2014/1/22 Matias Mucciolo
>
> can you paste a ps auxf output ?
On Sun, 19 Jan 2014 21:17:03 -0800
Andrew Merenbach wrote:
> I just decided to try this out the other day on my Wheezy 7.3 install.
> It wasn't that painful and I haven't noticed any performance impact or
> misbehaving (read: broken) programs, at least not yet. Then again, I
> haven't done r
can you paste a ps auxf output ?
maybe someone see some strange process
--
Matias
On Wednesday, January 22, 2014 10:57:14 AM Nico Angenon wrote:
> Hello,
>
> i’ve put a firewall rules on this before the box, so, there is no connexion
> left on this port... but there was a lot of trafic on th
Hello,
i’ve put a firewall rules on this before the box, so, there is no connexion
left on this port... but there was a lot of trafic on this port before the
rule...
Nico
From: Lesley Binks
Sent: Wednesday, January 22, 2014 2:46 PM
To: Nico Angenon
Cc: debian-security@lists.debian.org
Subje
On Wed, 2014-01-22 at 14:26, Nico Angenon wrote:
> File /tmp/a and tmp/b gives me the same numberlist...
>
> I'll fromat the box, it'll go faster...
True!
But if there is vulnerability (security hole) in your system it's just
a question of time when you'll have this situation again.
> -Mess
Sorry for top posting. I'm on my phone.
You can always check for data on the interface using tcpdump.
Worth using it to verify what's happening.
Lesley
On 22 Jan 2014 13:33, "Nico Angenon" wrote:
> no output
>
> Thanks for all...
>
> Nico
>
> -Message d'origine- From: johan A. van Z
On Wed, Jan 22, 2014 at 02:33:27PM CET, Nico Angenon said:
> no output
>
> Thanks for all...
>
> Nico
You may also try lsof -i udp:10001
Launch it as root, because a normal user cannot see the descriptors of
processes owned by others.
--
To UNSUBSCRIBE, email to debian-security-requ...
no output
Thanks for all...
Nico
-Message d'origine-
From: johan A. van Zanten
Sent: Wednesday, January 22, 2014 1:56 PM
To: n...@creaweb.fr
Cc: debian-security@lists.debian.org
Subject: Re: finding a process that bind a spcific port
"Nico Angenon" wrote:
nope... never used th
"Nico Angenon" wrote:
> nope... never used this service...
> Still looking for an explanation, try chrootkit and rkhunter right
> now
Try fuser:
fuser -n udp 10001
-johan
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Cont
File /tmp/a and tmp/b gives me the same numberlist...
I'll fromat the box, it'll go faster...
Nico
-Message d'origine-
From: Matias Mucciolo
Sent: Wednesday, January 22, 2014 2:14 PM
To: debian-security@lists.debian.org
Cc: Nico Angenon
Subject: Re: finding a process that bind a spcif
You can try something like:
cd /proc/ && ls -d1 [0-9]* | sort -n > /tmp/a && ps ax -o pid | grep "[0-9]"
| tr -d " " | sort -n > /tmp/b
and check with ip exits in /proc dir but not in ps
example in my box:
..
46154615
4624
if it installed, i didn’t do it...
i’ve never heard about this...
Nico
From: Kevin Olbrich
Sent: Wednesday, January 22, 2014 2:04 PM
To: Nico Angenon
Cc: debian security
Subject: Re: finding a process that bind a spcific port
Do you have IntelliJ installed in this box?
http://stackoverflow.
Do you have IntelliJ installed in this box?
http://stackoverflow.com/questions/13345986/intellij-idea-using-10001-port
Mit freundlichen Grüßen / best regards,
Kevin Olbrich.
(mobil vom iPhone)
--
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der
Same : No output...
Nico
-Message d'origine-
From: johan A. van Zanten
Sent: Wednesday, January 22, 2014 1:56 PM
To: n...@creaweb.fr
Cc: debian-security@lists.debian.org
Subject: Re: finding a process that bind a spcific port
"Nico Angenon" wrote:
nope... never used this servi
i do try as root...
Nico
From: Frank
Sent: Wednesday, January 22, 2014 1:45 PM
To: debian-security@lists.debian.org
Subject: Re: finding a process that bind a spcific port
On 01/22/2014 01:20 PM, Nico Angenon wrote:
Hello,
i think i’ve been hacked on one of my boxes...
I try to find
On Wed, 2014-01-22 at 13:37, Nico Angenon wrote:
> the same...no output
Maybe you can be lucky with:
ss -ulp
But, if you are really hacked it would be better to shutdown machine,
move disk to clean machine and try some forensic tools.
> -Message d'origine- From: Andika Triwidada
> S
On 01/22/2014 01:20 PM, Nico Angenon wrote:
> Hello,
>
> i think i’ve been hacked on one of my boxes...
>
> I try to find with process bind a specific port :
>
> # netstat -anpe |grep udp
> gives me
> udp0 0 0.0.0.0:10001
> 0.0.0.0:* 0
nope... never used this service...
Still looking for an explanation, try chrootkit and rkhunter right now
Nico
From: wootanaz
Sent: Wednesday, January 22, 2014 1:45 PM
To: Nico Angenon
Cc: debian security
Subject: Re: finding a process that bind a spcific port
Maybe you are using (or had
The same...
no output
using lsof -i :10001
Nico
-Message d'origine-
From: Marco De Benedetto
Sent: Wednesday, January 22, 2014 1:35 PM
To: debian-security@lists.debian.org
Subject: Re: finding a process that bind a spcific port
On mer 22 gen, Andika Triwidada wrote:
On Wed, Jan 22,
On Wed, Jan 22, 2014 at 7:37 PM, Nico Angenon wrote:
> the same...no output
could be hidden by rootkit :(
>
> Nico
>
> -Message d'origine- From: Andika Triwidada
> Sent: Wednesday, January 22, 2014 1:33 PM
> To: Nico Angenon
> Cc: debian security
> Subject: Re: finding a process that
netstat -tulpn | grep :10001
grep 10001 /etc/services
or:
fuser 10001/udp
This will output PID
Then find out process name associated with PID
ls -l /proc/PID/exe
---Permission to forward and reprint is given.---
*Don't confuse my personality with my attitude. My personality is who I am.
My attit
On mer 22 gen, Andika Triwidada wrote:
> On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote:
> > Hello,
> >
> > i think i’ve been hacked on one of my boxes...
> >
> > I try to find with process bind a specific port :
> >
> > # netstat -anpe |grep udp
> > gives me
> > udp0 0 0.0.0.0:1
the same...no output
Nico
-Message d'origine-
From: Andika Triwidada
Sent: Wednesday, January 22, 2014 1:33 PM
To: Nico Angenon
Cc: debian security
Subject: Re: finding a process that bind a spcific port
On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote:
Hello,
i think i’ve b
On Wed, Jan 22, 2014 at 7:20 PM, Nico Angenon wrote:
> Hello,
>
> i think i’ve been hacked on one of my boxes...
>
> I try to find with process bind a specific port :
>
> # netstat -anpe |grep udp
> gives me
> udp0 0 0.0.0.0:10001 0.0.0.0:*
> 0 5950269 -
>
>
> b
Hello,
i think i’ve been hacked on one of my boxes...
I try to find with process bind a specific port :
# netstat -anpe |grep udp
gives me
udp0 0 0.0.0.0:10001 0.0.0.0:*
0 5950269 -
but
# lsof |grep 10001
doesn’t show me anything
42 matches
Mail list logo
