is this result of keylogger? am i hacked?
Sergey Spiridonov:
> > I found yesterday that some files in /etc/ (/etc/shells and > /etc/default/default/schroot) are changed. They contain data which I > was typing on keyboard. Strange enough, this files are not > overwritten, but contain data they should contain + somewhere in the > middle or at the beginning of the file they contain something I > typed in browser or in command line in X window system. One possible reason: your memory is corrupt. Run memtest86 to check that. J. -- In an ideal world I would cure poverty and go to the gym at least three days a week. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html> |
is this result of keylogger? am i hacked?
Hi
On 07/21/2010 03:40 PM, Jochen Schulz wrote: One possible reason: your memory is corrupt. Run memtest86 to check that. I think memory is not the reason, because some time ago I get broken /etc/shells file also on another machine, which is running Lenny. -- Best regards, Sergey Spiridonov -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: uocjh7-1ke.ln1@legba.gamic.com">http://lists.debian.org/uocjh7-1ke.ln1@legba.gamic.com |
is this result of keylogger? am i hacked?
On 07/21/2010 06:39 AM, Sergey Spiridonov wrote:
> I found yesterday that some files in /etc/ (/etc/shells and > /etc/default/default/schroot) are changed. They contain data which I was > typing on keyboard. Strange enough, this files are not overwritten, but > contain data they should contain + somewhere in the middle or at the > beginning of the file they contain something I typed in browser or in > command line in X window system. > > This looks like that I am hacked and somebody try to get my passwords. > But may be there is another explanation, like broken package? Or can > somebody suggest, how can I check it? Reinstalling everything from > scratch is a lot of work... > > System is squeeze, upgraded from lenny few weeks ago. Check 'last' and 'lastb' to see if there are any other logins or login attempts other than yourself. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O |
is this result of keylogger? am i hacked?
Sergey Spiridonov <sergey.spiridonov@gmail.com> wrote:
> I think memory is not the reason, because some time ago I get broken > /etc/shells file also on another machine, which is running Lenny. Broken memory. Broken kernel (possibly but not necessarily the filesystem driver). Hacked machine. Broken hardware. For breakage of something as significant as /etc/shells, I'd prioritise investigations in that order. Memtest86+ is a no-brainer, so let it test your machine. Are you using a kernel that's got known issues with whatever filesystem you are using for /etc? (Have you looked?) What was the outcome of your investigation into the previous situation? Chris -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: dpkjh7xetr.ln2@news.roaima.co.uk">http://lists.debian.org/dpkjh7xetr.ln2@news.roaima.co.uk |
is this result of keylogger? am i hacked?
Le 14811ième jour après Epoch,
Sergey Spiridonov écrivait: > Hi > > On 07/21/2010 03:40 PM, Jochen Schulz wrote: > >> One possible reason: your memory is corrupt. Run memtest86 to check >> that. > > I think memory is not the reason, because some time ago I get broken > /etc/shells file also on another machine, which is running Lenny. If you are so confident, why asking here? 1) Try memtest, it's a good idea. 2) Unplug you box from the net, to avoid more corruption 3) Check the syslog about disk errors 4) Check colocs/friends/family for any acces to your box 5) Tell us more about software installed, especially non Debian packaged software. 6) If you are creationist, ask God ;) -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 87vd88qz9i.fsf@fermat.tourde.home">http://lists.debian.org/87vd88qz9i.fsf@fermat.tourde.home |
is this result of keylogger? am i hacked?
Hi
On 07/21/2010 06:45 PM, Chris Davies wrote: > For breakage of something as significant as /etc/shells, I'd prioritise > investigations in that order. Memtest86+ is a no-brainer, so let it > test your machine. Are you using a kernel that's got known issues with > whatever filesystem you are using for /etc? (Have you looked?) I will do checks today just need to buy cdrom first. I will report memtest86+, fsck and chkrootkit results this evening. Kernel is current squeeze kernel. Filesystem is ext3. AFAIK ext3 is quite stabe now. Today i found addidtionaly hidden files in /etc .passwd.swn and similar .p.* file tells that they are vim swap files, but inside they also contain keyboard logs (among other data). > What was the outcome of your investigation into the previous situation? The prevoius situation happens on the providers virtual hosting, so I can not do a lot. Perfromed nmap from outside, chkrootkit from inside with no results. -- Sergey -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 52vnh7-83o.ln1@legba.gamic.com">http://lists.debian.org/52vnh7-83o.ln1@legba.gamic.com |
is this result of keylogger? am i hacked?
Hi
On 07/21/2010 11:51 PM, François TOURDE wrote: I think memory is not the reason, because some time ago I get broken /etc/shells file also on another machine, which is running Lenny. If you are so confident, why asking here? I am not confident and I will do this tests (just need to buy cdrom first), just expressed my opinion on this. I found also yesterday swp files with keyboard logs (see my other mail). 1) Try memtest, it's a good idea. Will do this evening. 2) Unplug you box from the net, to avoid more corruption Done. 3) Check the syslog about disk errors There are no. 4) Check colocs/friends/family for any acces to your box Done. 5) Tell us more about software installed, especially non Debian packaged software. Since i upgraded to squid I did not install something special. Before, in lenny i did compile, packaged and installed several packages like openttd with highres graphics patch, mozilla and its dependencies from testing, also adobe flash from debian-non free and nvidia from debian non-free are installed. That is all I remember right now. 6) If you are creationist, ask God ;) Will try, good idea :) -- Sergey -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: duvnh7-t3o.ln1@legba.gamic.com">http://lists.debian.org/duvnh7-t3o.ln1@legba.gamic.com |
is this result of keylogger? am i hacked?
Hi
I ran memcheck 4.0, it showed no problem. Unfortunately I can not use knoppix to mount and check my partitions with fsck and chkrootkit, bevause latest knoppix (6.2.1) for whatever reason does not include cryptsetup. :( -- Best regards, Sergey Spiridonov -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: i2htm6$4rd$1@dough.gmane.org">http://lists.debian.org/i2htm6$4rd$1@dough.gmane.org |
is this result of keylogger? am i hacked?
On 7/25/10 12:52 PM, Sergey Spiridonov wrote:
Hi I ran memcheck 4.0, it showed no problem. Unfortunately I can not use knoppix to mount and check my partitions with fsck and chkrootkit, bevause latest knoppix (6.2.1) for whatever reason does not include cryptsetup. :( You can however use the Ubuntu live CD (or preferably liveUSB ~ since you can install a few necessary packages you might want) to do that. Knoppix is just godly because it includes a lot of tools that you will want to repair your system, but you can of course, build the same thing using any liveCD if you so choose. -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4C4CBB15.5000400@envygeeks.com">http://lists.debian.org/4C4CBB15.5000400@envygeeks.com |
is this result of keylogger? am i hacked?
On 7/25/10 5:30 PM, Jordon Bedwell wrote:
On 7/25/10 12:52 PM, Sergey Spiridonov wrote: Hi I ran memcheck 4.0, it showed no problem. Unfortunately I can not use knoppix to mount and check my partitions with fsck and chkrootkit, bevause latest knoppix (6.2.1) for whatever reason does not include cryptsetup. :( You can however use the Ubuntu live CD (or preferably liveUSB ~ since you can install a few necessary packages you might want) to do that. Knoppix is just godly because it includes a lot of tools that you will want to repair your system, but you can of course, build the same thing using any liveCD if you so choose. Also, to add, if you plan on doing a cryptographic integrity check, you need to do this from a liveCD not from a liveUSB. The only reason you would do a liveUSB is for things like fsck and chkrootkit (where you would mount as readonly at first) -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 4C4CBFFC.3000203@envygeeks.com">http://lists.debian.org/4C4CBFFC.3000203@envygeeks.com |
| All times are GMT. The time now is 10:17 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.