Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] cleaning the system from malware
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 184

PostPosted: Mon May 24, 2010 10:08 am    Post subject: [solved] cleaning the system from malware Reply with quote

Hi!

I'm wondering if I suspect some malicious code in my system, what would be a proper way to rebuild it like if it was a clean install? I'm thinking of "emerge -e world", reinstalling configuration files, cleaning tmp folders and stuff like that.

Thanks for reading...


Last edited by bendeguz on Mon May 24, 2010 12:55 pm; edited 1 time in total
Back to top
View user's profile Send private message
phajdan.jr
Developer
Developer


Joined: 23 Mar 2006
Posts: 1767
Location: Poland

PostPosted: Mon May 24, 2010 11:38 am    Post subject: Reply with quote

You may want to use tools like rkhunter and chkrootkit.

However, you can never be sure, and you can never trust the suspected system. In case you decide to reinstall, absolutely nothing should survive (oh, except data). The disk should be reformatted etc. If you just re-compile stuff, you risk leaving some backdoors behind. Also, you can't trust the subverted system, so you don't really know whether it overwrites the infected files.

Let me repeat once more: a hacked system must be reinstalled from scratch.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 184

PostPosted: Mon May 24, 2010 12:18 pm    Post subject: Reply with quote

phajdan.jr wrote:
You may want to use tools like rkhunter and chkrootkit.

However, you can never be sure, and you can never trust the suspected system. In case you decide to reinstall, absolutely nothing should survive (oh, except data). The disk should be reformatted etc. If you just re-compile stuff, you risk leaving some backdoors behind. Also, you can't trust the subverted system, so you don't really know whether it overwrites the infected files.

Let me repeat once more: a hacked system must be reinstalled from scratch.


Thank you for your answer!
Would you be so kind, to have a look at this? (Maybe you already did before)
http://forums.gentoo.org/viewtopic-t-818338-highlight-tcp+timestamp.html

This is the reason of my question. I still don't know the explanation of this.
To make it short: After ~9,5 hours uptime(tried it several times) I can't reach a lot of web pages and mirrors. I tried with a clean installed gentoo which i was installed chrooted from my desktop system, but it had the same problem.
I realized, if I put my machine on a router which I built, based on floppyfw, the problem is gone. If I put back to the TP-LINK router, I can't reach almost anything again.
Back to top
View user's profile Send private message
phajdan.jr
Developer
Developer


Joined: 23 Mar 2006
Posts: 1767
Location: Poland

PostPosted: Mon May 24, 2010 12:33 pm    Post subject: Reply with quote

bendeguz wrote:
This is the reason of my question. I still don't know the explanation of this.
To make it short: After ~9,5 hours uptime(tried it several times) I can't reach a lot of web pages and mirrors. I tried with a clean installed gentoo which i was installed chrooted from my desktop system, but it had the same problem.
I realized, if I put my machine on a router which I built, based on floppyfw, the problem is gone. If I put back to the TP-LINK router, I can't reach almost anything again.


Doesn't look like a hack. Additionally, be aware that most of the time an attacker wants to hide his presence, and not make a lot of noise that would make people suspicious like in this case.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
bendeguz
Apprentice
Apprentice


Joined: 10 Feb 2010
Posts: 184

PostPosted: Mon May 24, 2010 12:55 pm    Post subject: Reply with quote

phajdan.jr wrote:

Additionally, be aware that most of the time an attacker wants to hide his presence, and not make a lot of noise that would make people suspicious like in this case.


Good point, thank you.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum