On Tue 06 Jan 2015 at 20:28:04 +0100, Martin Steigerwald wrote: > Am Dienstag, 6. Januar 2015, 19:20:20 schrieb Brian: > > On Tue 06 Jan 2015 at 19:47:09 +0100, Martin Steigerwald wrote: > > > Am Dienstag, 6. Januar 2015, 21:51:26 schrieb Danny: > > > > Hi guys, > > > > > > > > I am afraid my happiness was short lived. To test if the deletion of the > > > > file (and the effects thereof) would be permanent I rebooted the system > > > > and > > > > consequently found another file (same size, same random lettering) > > > > booted > > > > up with everything else. :( ... The culprit is well hidden and > > > > regenerates > > > > itself ... > > > > > > Well… if something creates a file in /boot, it needs to be started > > > somewhere. I still bet an examination along the ideas I suggested from a > > > live distro may reveal where the file is created. Or it may not, at least > > > not easily, if a changed binary creates the file, instead of some script. > > > Its still not clear whether its really a malware or just some broken > > > third party software you installed, but… if you didn´t install any broken > > > third party software and it really is, read on. > > > > Are we now to assume these files are only created on boot? The OP could > > at least look into this and let us know whether this is so. It looks to > > me there is some configuration which creates them. The configuration is > > far more likely to have been produced by him than some invader. > > > > > > I did "file -k", "grep -ir" and most of the other things you guys > > > > suggested, but nothing showed up. I am now going through the > > > > "after-compromise" chapter as one of you suggested. > > > > > > That doesn´t make sense to me. At least file -k on one of the files should > > > show some output. > > > > Doesn't make sense to me either. The file command produces something. > > Your mentioning of it was really a suggestion for the OP to provide > > its output. The invitation wasn't taken up. > > > > > > I will run "sleuthkit" and report if anything is found. However, I am > > > > afraid a backup and re-installation is on the horizon for me ...... > > > > sigh ..... > > > > > > > > Can I make the "/etc/init.d" directory readable only with the contents > > > > thereof still executable ... untill I can properly back-up and install > > > > everything again? ... or maybe some other short term solution ... > > > > > > No. In case of a compromise, *reinstall* from *scratch*. > > > > > > Its that easy. > > > > Or.... > > > > If the machine is not compromised - fix it. > > > > It's that easy. > > Sure, thats why I wrote: > > > > No. In case of a compromise, *reinstall* from *scratch*. > > I think "In case of a compromise" is clear enough.
"If the machine is not compromised" is also clear enough. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/06012015194824.c6a89cfc6...@desktop.copernicus.demon.co.uk