View previous topic :: View next topic |
Author |
Message |
bendeguz Apprentice
Joined: 10 Feb 2010 Posts: 189
|
Posted: Mon May 24, 2010 10:08 am Post subject: [solved] cleaning the system from malware |
|
|
Hi!
I'm wondering if I suspect some malicious code in my system, what would be a proper way to rebuild it like if it was a clean install? I'm thinking of "emerge -e world", reinstalling configuration files, cleaning tmp folders and stuff like that.
Thanks for reading...
Last edited by bendeguz on Mon May 24, 2010 12:55 pm; edited 1 time in total |
|
Back to top |
|
|
phajdan.jr Retired Dev
Joined: 23 Mar 2006 Posts: 1777 Location: Poland
|
Posted: Mon May 24, 2010 11:38 am Post subject: |
|
|
You may want to use tools like rkhunter and chkrootkit.
However, you can never be sure, and you can never trust the suspected system. In case you decide to reinstall, absolutely nothing should survive (oh, except data). The disk should be reformatted etc. If you just re-compile stuff, you risk leaving some backdoors behind. Also, you can't trust the subverted system, so you don't really know whether it overwrites the infected files.
Let me repeat once more: a hacked system must be reinstalled from scratch. _________________ http://phajdan-jr.blogspot.com/ |
|
Back to top |
|
|
bendeguz Apprentice
Joined: 10 Feb 2010 Posts: 189
|
Posted: Mon May 24, 2010 12:18 pm Post subject: |
|
|
phajdan.jr wrote: | You may want to use tools like rkhunter and chkrootkit.
However, you can never be sure, and you can never trust the suspected system. In case you decide to reinstall, absolutely nothing should survive (oh, except data). The disk should be reformatted etc. If you just re-compile stuff, you risk leaving some backdoors behind. Also, you can't trust the subverted system, so you don't really know whether it overwrites the infected files.
Let me repeat once more: a hacked system must be reinstalled from scratch. |
Thank you for your answer!
Would you be so kind, to have a look at this? (Maybe you already did before)
https://forums.gentoo.org/viewtopic-t-818338-highlight-tcp+timestamp.html
This is the reason of my question. I still don't know the explanation of this.
To make it short: After ~9,5 hours uptime(tried it several times) I can't reach a lot of web pages and mirrors. I tried with a clean installed gentoo which i was installed chrooted from my desktop system, but it had the same problem.
I realized, if I put my machine on a router which I built, based on floppyfw, the problem is gone. If I put back to the TP-LINK router, I can't reach almost anything again. |
|
Back to top |
|
|
phajdan.jr Retired Dev
Joined: 23 Mar 2006 Posts: 1777 Location: Poland
|
Posted: Mon May 24, 2010 12:33 pm Post subject: |
|
|
bendeguz wrote: | This is the reason of my question. I still don't know the explanation of this.
To make it short: After ~9,5 hours uptime(tried it several times) I can't reach a lot of web pages and mirrors. I tried with a clean installed gentoo which i was installed chrooted from my desktop system, but it had the same problem.
I realized, if I put my machine on a router which I built, based on floppyfw, the problem is gone. If I put back to the TP-LINK router, I can't reach almost anything again. |
Doesn't look like a hack. Additionally, be aware that most of the time an attacker wants to hide his presence, and not make a lot of noise that would make people suspicious like in this case. _________________ http://phajdan-jr.blogspot.com/ |
|
Back to top |
|
|
bendeguz Apprentice
Joined: 10 Feb 2010 Posts: 189
|
Posted: Mon May 24, 2010 12:55 pm Post subject: |
|
|
phajdan.jr wrote: |
Additionally, be aware that most of the time an attacker wants to hide his presence, and not make a lot of noise that would make people suspicious like in this case. |
Good point, thank you. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|