You are not logged in.
Pages: 1
A friend of mine changed his root password to something idiotic after I set up his system, and some bot dictionary attacked his box and got root access. Now there's ttymon and tymon running in the background, and I'm not sure where it's being launched from. I've reinstalled archlinux kernels and coreutils, and chkrootkit came back clean (though I *KNOW* ls was not the original utility)
Anyway, what should I do to help him clean up his box? Reinstalling from scratch would be a bit of a pain, but it's what I'm going to try to convince him of doing.
Offline
Tell him you really can't tell if there's a rootkit (chkrootkit only checks for some common known rks and signs of rks) and point him here.
Also, any hacker worth his bandwidth will try to open as many hidden back doors as possible. It's almost impossible to know for certain that you've gotten rid of all of them. Reinstallation is really the only practical option.
Offline
Reinstall if you have good reason to believe it's ever been compromised. I always recommend chkrootkit and rkhunter, but the reality is that a good kit will render them useless in any event. Booting from a forensics disk and running things from there is best.
Unthinking respect for authority is the greatest enemy of truth.
-Albert Einstein
Offline
I booted from the archlinux install disc, mounted the root partition, and ran rkhunter. It found SHV4/SHV5. Using the log files that created I went and deleted everything it found. Now on boot there are no longer any fishy looking processes, and the machine's CPU usage isn't 50-60% while idling at a console.
BTW, my friend discovered the compromise of his system when he got an email from residential computing saying that sysadmins from germany were complaining about his box DOSsing them.
I'm still working on him to nuke and start over, but it'll probably take another compromise before he agrees to it.
Offline
Hopefully he learned his lesson
Offline
Pages: 1