[Rkhunter-users] ¿It's my Debian hacked?

Thu, 17 Apr 2008 23:09:24 -0700 

Hello.

I use Debian Lenny/Sid in my laptop, and with rkhunter I see this warning:

[20:00:55] /usr/sbin/tcpd [ Warning ]
[20:00:55] Warning: The file properties have changed:
[20:00:55] File: /usr/sbin/tcpd
[20:00:55] Current hash: 3e0d17c38096dc8d37dfa8a77b105538195ca868
[20:00:55] Stored hash : 6baf27aec765fd337a578c7eae1fbb95f0721e49
[20:00:55] Current inode: 881192 Stored inode: 878091
[20:00:55] Current size: 4308 Stored size: 4304
[20:00:55] Current file modification time: 1207324330
[20:00:55] Stored file modification time : 1185732044

Then, I use unhide sys and see:

[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found:2

Testing usplash, I need to restart my laptop. When I began, I again
test the processes with unhide sys:

[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning

There is no longer hidden processes. He sought information, but I have
not seen false positives with the devil tcpd.

Will my machine compromised? Looking a bit remember a morning that
without doing anything special laptop was about 2 hours with 96% cpu.

Can help me find out if my machine is compromised? I am almost novice,
and these items already escape me.

Thanks

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to