Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   is this result of keylogger? am i hacked? (http://www.linux-archive.org/debian-user/402165-result-keylogger-am-i-hacked.html)

Jochen Schulz 07-21-2010 01:40 PM

is this result of keylogger? am i hacked?
 
Sergey Spiridonov:
>
> I found yesterday that some files in /etc/ (/etc/shells and
> /etc/default/default/schroot) are changed. They contain data which I
> was typing on keyboard. Strange enough, this files are not
> overwritten, but contain data they should contain + somewhere in the
> middle or at the beginning of the file they contain something I
> typed in browser or in command line in X window system.

One possible reason: your memory is corrupt. Run memtest86 to check
that.

J.
--
In an ideal world I would cure poverty and go to the gym at least three
days a week.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>

Sergey Spiridonov 07-21-2010 02:28 PM

is this result of keylogger? am i hacked?
 
Hi

On 07/21/2010 03:40 PM, Jochen Schulz wrote:


One possible reason: your memory is corrupt. Run memtest86 to check
that.


I think memory is not the reason, because some time ago I get broken
/etc/shells file also on another machine, which is running Lenny.


--
Best regards, Sergey Spiridonov


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: uocjh7-1ke.ln1@legba.gamic.com">http://lists.debian.org/uocjh7-1ke.ln1@legba.gamic.com

Aaron Toponce 07-21-2010 04:25 PM

is this result of keylogger? am i hacked?
 
On 07/21/2010 06:39 AM, Sergey Spiridonov wrote:
> I found yesterday that some files in /etc/ (/etc/shells and
> /etc/default/default/schroot) are changed. They contain data which I was
> typing on keyboard. Strange enough, this files are not overwritten, but
> contain data they should contain + somewhere in the middle or at the
> beginning of the file they contain something I typed in browser or in
> command line in X window system.
>
> This looks like that I am hacked and somebody try to get my passwords.
> But may be there is another explanation, like broken package? Or can
> somebody suggest, how can I check it? Reinstalling everything from
> scratch is a lot of work...
>
> System is squeeze, upgraded from lenny few weeks ago.

Check 'last' and 'lastb' to see if there are any other logins or login
attempts other than yourself.

--
. O . O . O . . O O . . . O .
. . O . O O O . O . O O . . O
O O O . O . . O O O O . O O O

Chris Davies 07-21-2010 04:45 PM

is this result of keylogger? am i hacked?
 
Sergey Spiridonov <sergey.spiridonov@gmail.com> wrote:
> I think memory is not the reason, because some time ago I get broken
> /etc/shells file also on another machine, which is running Lenny.

Broken memory. Broken kernel (possibly but not necessarily the filesystem
driver). Hacked machine. Broken hardware.

For breakage of something as significant as /etc/shells, I'd prioritise
investigations in that order. Memtest86+ is a no-brainer, so let it
test your machine. Are you using a kernel that's got known issues with
whatever filesystem you are using for /etc? (Have you looked?)

What was the outcome of your investigation into the previous situation?

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: dpkjh7xetr.ln2@news.roaima.co.uk">http://lists.debian.org/dpkjh7xetr.ln2@news.roaima.co.uk

07-21-2010 09:51 PM

is this result of keylogger? am i hacked?
 
Le 14811ième jour après Epoch,
Sergey Spiridonov écrivait:

> Hi
>
> On 07/21/2010 03:40 PM, Jochen Schulz wrote:
>
>> One possible reason: your memory is corrupt. Run memtest86 to check
>> that.
>
> I think memory is not the reason, because some time ago I get broken
> /etc/shells file also on another machine, which is running Lenny.

If you are so confident, why asking here?

1) Try memtest, it's a good idea.

2) Unplug you box from the net, to avoid more corruption

3) Check the syslog about disk errors

4) Check colocs/friends/family for any acces to your box

5) Tell us more about software installed, especially non Debian packaged
software.

6) If you are creationist, ask God ;)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87vd88qz9i.fsf@fermat.tourde.home">http://lists.debian.org/87vd88qz9i.fsf@fermat.tourde.home

Sergey Spiridonov 07-23-2010 08:04 AM

is this result of keylogger? am i hacked?
 
Hi

On 07/21/2010 06:45 PM, Chris Davies wrote:

> For breakage of something as significant as /etc/shells, I'd prioritise
> investigations in that order. Memtest86+ is a no-brainer, so let it
> test your machine. Are you using a kernel that's got known issues with
> whatever filesystem you are using for /etc? (Have you looked?)

I will do checks today just need to buy cdrom first. I will report
memtest86+, fsck and chkrootkit results this evening. Kernel is current
squeeze kernel. Filesystem is ext3. AFAIK ext3 is quite stabe now.


Today i found addidtionaly hidden files in /etc

.passwd.swn and similar .p.*

file tells that they are vim swap files, but inside they also contain
keyboard logs (among other data).


> What was the outcome of your investigation into the previous situation?

The prevoius situation happens on the providers virtual hosting, so I
can not do a lot. Perfromed nmap from outside, chkrootkit from inside
with no results.


--
Sergey


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 52vnh7-83o.ln1@legba.gamic.com">http://lists.debian.org/52vnh7-83o.ln1@legba.gamic.com

Sergey Spiridonov 07-23-2010 08:19 AM

is this result of keylogger? am i hacked?
 
Hi

On 07/21/2010 11:51 PM, François TOURDE wrote:


I think memory is not the reason, because some time ago I get broken
/etc/shells file also on another machine, which is running Lenny.


If you are so confident, why asking here?


I am not confident and I will do this tests (just need to buy cdrom
first), just expressed my opinion on this. I found also yesterday swp
files with keyboard logs (see my other mail).



1) Try memtest, it's a good idea.


Will do this evening.


2) Unplug you box from the net, to avoid more corruption


Done.


3) Check the syslog about disk errors


There are no.


4) Check colocs/friends/family for any acces to your box


Done.


5) Tell us more about software installed, especially non Debian packaged
software.


Since i upgraded to squid I did not install something special. Before,
in lenny i did compile, packaged and installed several packages like
openttd with highres graphics patch, mozilla and its dependencies from
testing, also adobe flash from debian-non free and nvidia from debian
non-free are installed. That is all I remember right now.



6) If you are creationist, ask God ;)


Will try, good idea :)
--
Sergey


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: duvnh7-t3o.ln1@legba.gamic.com">http://lists.debian.org/duvnh7-t3o.ln1@legba.gamic.com

Sergey Spiridonov 07-25-2010 05:52 PM

is this result of keylogger? am i hacked?
 
Hi

I ran memcheck 4.0, it showed no problem. Unfortunately I can not use
knoppix to mount and check my partitions with fsck and chkrootkit,
bevause latest knoppix (6.2.1) for whatever reason does not include
cryptsetup. :(


--
Best regards, Sergey Spiridonov


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: i2htm6$4rd$1@dough.gmane.org">http://lists.debian.org/i2htm6$4rd$1@dough.gmane.org

Jordon Bedwell 07-25-2010 10:30 PM

is this result of keylogger? am i hacked?
 
On 7/25/10 12:52 PM, Sergey Spiridonov wrote:

Hi

I ran memcheck 4.0, it showed no problem. Unfortunately I can not use
knoppix to mount and check my partitions with fsck and chkrootkit,
bevause latest knoppix (6.2.1) for whatever reason does not include
cryptsetup. :(



You can however use the Ubuntu live CD (or preferably liveUSB ~ since
you can install a few necessary packages you might want) to do that.
Knoppix is just godly because it includes a lot of tools that you will
want to repair your system, but you can of course, build the same thing
using any liveCD if you so choose.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C4CBB15.5000400@envygeeks.com">http://lists.debian.org/4C4CBB15.5000400@envygeeks.com

Jordon Bedwell 07-25-2010 10:51 PM

is this result of keylogger? am i hacked?
 
On 7/25/10 5:30 PM, Jordon Bedwell wrote:

On 7/25/10 12:52 PM, Sergey Spiridonov wrote:

Hi

I ran memcheck 4.0, it showed no problem. Unfortunately I can not use
knoppix to mount and check my partitions with fsck and chkrootkit,
bevause latest knoppix (6.2.1) for whatever reason does not include
cryptsetup. :(



You can however use the Ubuntu live CD (or preferably liveUSB ~ since
you can install a few necessary packages you might want) to do that.
Knoppix is just godly because it includes a lot of tools that you will
want to repair your system, but you can of course, build the same thing
using any liveCD if you so choose.




Also, to add, if you plan on doing a cryptographic integrity check, you
need to do this from a liveCD not from a liveUSB. The only reason you
would do a liveUSB is for things like fsck and chkrootkit (where you
would mount as readonly at first)



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C4CBFFC.3000203@envygeeks.com">http://lists.debian.org/4C4CBFFC.3000203@envygeeks.com


All times are GMT. The time now is 07:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.