Re: Might've been rooted. Help
From: Naota (see_at_the.signature)
Date: Mon, 10 Nov 2003 21:00:30 GMT
On Mon, 10 Nov 2003 09:13:41 -0800, /dev/rob0 wrote:
> In article <email@example.com>, Naota wrote:
>> Everything was fine on my box, until I woke up yesterday and started PAN,
> Stop. Change the assumption. If you had been rooted, why would an
> attacker mess around in your home directory? Are you a rich and famous
> celebrity? If not the attacker certainly has no interest in you.
I understand what you're saying.
>> as I usually do. PAN was acting like I'd never used it before, asking
>> or my desired user name, email address, etc. Then I started Netscape,
>> and [snip]
>> Does anyone know what's going on,
> Of course not, given such information. But I can make what I bet is a
> very good guess: you deleted or broke the permissions of a bunch of
> dotfiles (and directories) in your home directory. That's where all your
> settings are stored! Restore your last backup and get on with life.
The day before this happened, I didn't use chmod or chown, so I didn't
mess with any permissions. As for the dotfiles, I haven't been bothering
them--especially in .pan and .mozilla, unless something else bothered
them. Maybe someone wanted to find finacial info, such as credit card
numbers and the like.
>> or what I can do to figure out what's happening?
> Well, a bit of Googling here in this group will list a lot of advice on
> what to do if you suspect intrusion. If you enjoy silly paranoia, go for
> it: pull the network cable, pick over the logs, get chkrootkit, have
> fun. But what you described sounds like a simple "user oops".
Indeed. Chkrootkit was who I first turned to when this happened, but
nothing was infected.
> BTW if the user account is root, or has UID 0, you should go back and
> take all the advice of more experienced people: DON'T run as root. You
> can always "su" for anything that needs root privileges. If you have
> been running as root, there's a significant chance that you have trashed
> your install by now.
Hehe, the only command run as root on a regular basis is cdrecord,
mkisofs, ntpdate, and seldomly mplayer (for the VESA and SVGA features).
Thanks for your help,
-- naSota@tPampabay.rAr.cMom - > (remove capital letters: SPAM)