Dear all
Today I encountered something that might have been a virus attack on my
system. As I had posted earlier, all symlinks were being shown as broken
using the 'ls' command. After checking DIR_COLORS, the links and the files
themselves, I decided to reinstall the fileutils package (which contains
the 'ls' program).
rpm -e fileutils
--> Cannot remove '/bin/ls'. Permission denied.
This was perplexing. I was working as root and the file was owned by root,
group root. The permissions were -rwxr-xr-x. I next tried
lsattr /bin/ls
--> ---i-------- /bin/ls
Who set this attribute? Why - no clues. Only I have the root password and
I hadn't done it. The file's modify time was March 22 20:21 and the logs
had been truncated before that. All the logs had no entries between Feb 17
and March 22.
As of now, I have checked /bin, /usr/bin, /sbin, /usr/sbin, /usr/X11R6/bin
with lsattr and any files with immutable (i) attribute have been reset and
the corresponding rpm reinstalled using the "--force" option.
rpm -V also gives interesting results. All the files with i attribute set
had different sizes, MD5 checksums, and Mtimes than when installed. There
are many such files remaining but they dont have the i attribute set.
I am really worried. Some files I can identify as having been modified by
myself. Most others I haven't touched but still they are being shown as
modified. Which of them were modified by system processes and which by
this virus/trojan. I still dont know how the system was infected or if it
is cured or not.
I would like to know if any of you have had similar experiences. Any
pointers to good virus/trojan/security resources on the Internet would be
very helpful. How can I further protect my system and detect such
intrusions. How can I be sure that THIS attack has been cured.
Please help people - I am at the end of my tether. Virus attack - that too
on Linux - It was supposed to be almost impossible.
Ashish
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
