Re: Might've been rooted. Help
From: Naota (see_at_the.signature)
Date: 11/10/03
- Next message: Mark.Wright_at_bristol.ac.uk: "chkrootkit errors"
- Previous message: Jacob Westenbach: "Re: Setting up a Firewall"
- In reply to: /dev/rob0: "Re: Might've been rooted. Help"
- Next in thread: Bit Twister: "Re: Might've been rooted. Help"
- Reply: Bit Twister: "Re: Might've been rooted. Help"
- Reply: /dev/rob0: "Re: Might've been rooted. Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 Nov 2003 21:00:30 GMT
On Mon, 10 Nov 2003 09:13:41 -0800, /dev/rob0 wrote:
> In article <pan.2003.11.10.16.27.49.801525@the.signature>, Naota wrote:
>> Everything was fine on my box, until I woke up yesterday and started PAN,
>
> Stop. Change the assumption. If you had been rooted, why would an
> attacker mess around in your home directory? Are you a rich and famous
> celebrity? If not the attacker certainly has no interest in you.
I understand what you're saying.
>> as I usually do. PAN was acting like I'd never used it before, asking
>> or my desired user name, email address, etc. Then I started Netscape,
>> and [snip]
>> Does anyone know what's going on,
>
> Of course not, given such information. But I can make what I bet is a
> very good guess: you deleted or broke the permissions of a bunch of
> dotfiles (and directories) in your home directory. That's where all your
> settings are stored! Restore your last backup and get on with life.
>
The day before this happened, I didn't use chmod or chown, so I didn't
mess with any permissions. As for the dotfiles, I haven't been bothering
them--especially in .pan and .mozilla, unless something else bothered
them. Maybe someone wanted to find finacial info, such as credit card
numbers and the like.
>> or what I can do to figure out what's happening?
>
> Well, a bit of Googling here in this group will list a lot of advice on
> what to do if you suspect intrusion. If you enjoy silly paranoia, go for
> it: pull the network cable, pick over the logs, get chkrootkit, have
> fun. But what you described sounds like a simple "user oops".
Indeed. Chkrootkit was who I first turned to when this happened, but
nothing was infected.
> BTW if the user account is root, or has UID 0, you should go back and
> take all the advice of more experienced people: DON'T run as root. You
> can always "su" for anything that needs root privileges. If you have
> been running as root, there's a significant chance that you have trashed
> your install by now.
Hehe, the only command run as root on a regular basis is cdrecord,
mkisofs, ntpdate, and seldomly mplayer (for the VESA and SVGA features).
Thanks for your help,
Naota
-- naSota@tPampabay.rAr.cMom - > (remove capital letters: SPAM)
- Next message: Mark.Wright_at_bristol.ac.uk: "chkrootkit errors"
- Previous message: Jacob Westenbach: "Re: Setting up a Firewall"
- In reply to: /dev/rob0: "Re: Might've been rooted. Help"
- Next in thread: Bit Twister: "Re: Might've been rooted. Help"
- Reply: Bit Twister: "Re: Might've been rooted. Help"
- Reply: /dev/rob0: "Re: Might've been rooted. Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
