[ubuntu-za] Server Hacked
Hannes Coetzee
scorpking at scorpking.za.org
Thu Dec 16 09:01:57 GMT 2010
On 16/12/2010 09:11, Andy Rabagliati wrote:
> On Thu, 16 Dec 2010, Hannes Coetzee wrote:
>
>> My server at home seems to be hacked and infected with Suckit, or at
>> least thats what chkrootkit reports. /sbin/init was changed on
>> 08/12/2010 but I've only picked this up yesterday while using ls.
> My birthday !
>
> ls -l /sbin/init
> -rwxr-xr-x 1 root root 104068 Aug 12 23:33 /sbin/init
>
> I use 'debsums' - which matches package-installed files with their
> checksums.
>
> Another thing I do is mount /usr on its own partition, read-only.
>
> It is not that hard to re-mount it read-write before updates, but
> that is not something a scripted virus would do.
>
> Cheers, Andy
Thanks for the info. Is this normal?
root at venus:/home/serveradmin# debsums -s
debsums: no md5sums for binutils
debsums: no md5sums for installation-report
debsums: no md5sums for klogd
debsums: no md5sums for libaudio2
debsums: no md5sums for netbase
debsums: no md5sums for php5
debsums: no md5sums for squid
debsums: no md5sums for squid-common
debsums: no md5sums for sysklogd
debsums: no md5sums for xutils
More information about the ubuntu-za
mailing list