just because a port is blocked does not mean that it cannot be exploited if it is being used it can be found. the only non-exploitable port is a closed one.
]]>so how does one get hacked?
I mean if you do a pacman -Syu everyday (which should give you the latest patches) and you don't have a lot of open ports...how does it happen?eg if you have this:
netstat -a|grep LISTEN
tcp 0 0 *:3306 *:* LISTEN
tcp 0 0 *:32782 *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
where apache and mysql only listen to localhost...
can you still get hacked then??
weak passwords, a lot of user accounts with remote access, access to a compiler, kernel ptrace bug... openssh bug..
and of course a lot of lammers round the world trying to get into someone box just to destroy it and/or prove they can do it.
]]>eg if you have this:
netstat -a|grep LISTEN
tcp 0 0 *:3306 *:* LISTEN
tcp 0 0 *:32782 *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
where apache and mysql only listen to localhost...
can you still get hacked then??
Cheers
Andreas (been there, done that)
Ok thanks will reinstall. Never expected this to happen.
thanx for your help
I would recommend a complete rebuild of the box, you just can't trust any binaries on a system that's been rooted. Your best bet would be to boot up with the Arch disks, mount your rooted partitions and copy anything off the system that you want to save (data only, NOT binaries). Then wipe the system and reinstall.
]]>Or if that dont work try createding a user with a user ID of 500 and su into it and chown all the files to root.
]]>tried fsck-ing didn't work.
why can't i remove these files? not even as root, and not even if i boot from a cd?
i don't like to reinstall, isn't there a way to let pacman download and install all packages i've got installed in a diferrent parttition and then change the root to that partition??
And how can i find out what method was used to install these rootkits? seems as if it was done using a trojan but where did that come from?
]]>btw: you need to re-format the partition as well (if you are re-installing).
Jon,
PS: that to say that re-install is your only option but it worked for me cuz it was fast & easy.
GOOD LUCK!!!!!!!!!
]]>
wtf ?? how can i solve this, i'm disabling my eth0 until i need it for now thanks in advance
]]>now suddenly ps does the following:
ps: Symbol `Hertz' has different size in shared object, consider re-linking
ps: relocation error: ps: undefined symbol: proc_hackinit
Have i been hacked?? and how can i fix these files ??
]]>