Dear all,
Today my system was slowing much more than ever. Hence decided to run rkhunter. It seems to have found some issues, could somebody take a
look and see if these are false positives or what ?
I don't know the hash sums it quotes are current or off-date from the
one debian provides. I did see #651119 but it will be better if
somebody better than me can see if everything is good or off.
Dear all,
Today my system was slowing much more than ever. Hence decided to run rkhunter. It seems to have found some issues, could somebody take a
look and see if these are false positives or what ?
I don't know the hash sums it quotes are current or off-date from the
one debian provides. I did see #651119 but it will be better if
somebody better than me can see if everything is good or off.
--
Regards,
Shirish Agarwal शिरीष अग्रवाल
My quotes in this email licensed under CC 3.0 http://creativecommons.org/licenses/by-nc/3.0/ http://flossexperiences.wordpress.com
E493 D466 6D67 59F5 1FD0 930F 870E 9A5B 5869 609C
netstat -atupnThat shows all open tcp and udp ports. Invoke this before you start
systemctl disable avahi-daemon/other-daemon
systemctl stop avahi-daemon
systemctl disable rpcbind.socket
systemctl stop rpcbind.socket
apt-get remove kdeconnect
ps axThat may also be of help:
pstree -p
ls -l /proc/1234/exe
dpkg -S /bin/bash
systemctl -t service -a
Anyways, I don't really know much about netstat hence used ss which is
a utility to investigate sockets. Fortunately the version of iproute2
has version 5.6.0-1 which gives the option of doing something like -
# ss -p
Am 07.05.20 um 19:14 schrieb shirish शिरीष:
Dear all,
Today my system was slowing much more than ever. Hence decided to run
rkhunter. It seems to have found some issues, could somebody take a
look and see if these are false positives or what ?
I don't know the hash sums it quotes are current or off-date from the
one debian provides. I did see #651119 but it will be better if
somebody better than me can see if everything is good or off.
Looks like a kernel rootkit as programs like init, modprobe and
systemd are reported to be manipulated. That should make sense if
additional kernel modules and/or daemons are loaded. Since rkhunter
seems to only report altered files where the locally stored hash has not
been attacked but not additional files in your system you may
additionally want to run debcheckroot to find out about such files (https://www.elstel.org/debcheckroot/). Anyway, you should reinstall
your system. You could try to look at the mtime (modification time) of
the files that are reported to be manipulated and search for other files
with approximately the same date. Use the find utility to do so:
find / -printf "%Y %p # %TY-%Tm-%Td_%TH:%TM %AY-%Am-%Ad %CY-%Cm-%Cd\n"and:
There are three timestamps: modification time (m), inode modification time (c) - file attributes/creation, and last access time (a). Take care
of the last access time: even running find on the files may change that without using -noatime or sth. the like.
Dear all,
Today my system was slowing much more than ever. Hence decided to run rkhunter. It seems to have found some issues, could somebody take a
look and see if these are false positives or what ?
I don't know the hash sums it quotes are current or off-date from the
one debian provides. I did see #651119 but it will be better if
somebody better than me can see if everything is good or off.
find / -printf "%Y %p # %TY-%Tm-%Td_%TH:%TM %AY-%Am-%Ad %CY-%Cm-%Cd\n"and:
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 64:25:27 |
Calls: | 6,488 |
Calls today: | 1 |
Files: | 12,096 |
Messages: | 5,274,794 |