On Mon, 24 Feb 2014 17:28:32 +0100 ha <hiei.arh...@gmail.com> wrote: > > > > > debsums -ac -r /mnt > > > Great, thanks! I didn't know about debsums. > However, it does not report anything when started from the debian live usb.
Well, that's good. Meaning, that's simply a misuse of root, not a rooted host. No reinstall in necessary, probably, simple removal of: /etc/init.d/vmtoolsd /etc/pam.d/vmtoolsd /usr/bin/vmtoolsd should do it. Don't forget to change the root password just in case. > I will format disk and do the fresh install anyway, but I simply do not > understand how something like this could be done. This is the first time > I noticed something like this, simply because it is a fresh install. Three possible ways: 1) Unofficial install media. You won't believe what kind of strange gizmos people put into these ;) 2) Lack of physical security. Remove an HDD, place it into another host, copy some files, put back. 3) Someone has a root password, and that's not you. Or, you left root shell and an unlocked screen, someone has used it. > By the way, do not have sshd installed (and there is no /usr/sbin/sshd). I mentioned sshd as an example. There are plenty of ways to do remote connection to the host (telnet, VNC, XDMCP), all of them can be used for the root access. Just to be on a safe side, scan your host with 'nmap -sT -sU 1-65535' for both ipv4 and ipv6. Consider blocking everything unneeded with iptables. > And no suspicious users in /etc/passwd. That's good. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140224210509.103123f0ed1df4043fbd6...@gmail.com
