Re: Might've been rooted. Help

From: Naota (see_at_the.signature)
Date: 11/10/03


Date: Mon, 10 Nov 2003 21:00:30 GMT

On Mon, 10 Nov 2003 09:13:41 -0800, /dev/rob0 wrote:

> In article <pan.2003.11.10.16.27.49.801525@the.signature>, Naota wrote:
>> Everything was fine on my box, until I woke up yesterday and started PAN,
>
> Stop. Change the assumption. If you had been rooted, why would an
> attacker mess around in your home directory? Are you a rich and famous
> celebrity? If not the attacker certainly has no interest in you.

I understand what you're saying.
 
>> as I usually do. PAN was acting like I'd never used it before, asking
>> or my desired user name, email address, etc. Then I started Netscape,
>> and [snip]
>> Does anyone know what's going on,
>
> Of course not, given such information. But I can make what I bet is a
> very good guess: you deleted or broke the permissions of a bunch of
> dotfiles (and directories) in your home directory. That's where all your
> settings are stored! Restore your last backup and get on with life.
>

The day before this happened, I didn't use chmod or chown, so I didn't
mess with any permissions. As for the dotfiles, I haven't been bothering
them--especially in .pan and .mozilla, unless something else bothered
them. Maybe someone wanted to find finacial info, such as credit card
numbers and the like.

>> or what I can do to figure out what's happening?
>
> Well, a bit of Googling here in this group will list a lot of advice on
> what to do if you suspect intrusion. If you enjoy silly paranoia, go for
> it: pull the network cable, pick over the logs, get chkrootkit, have
> fun. But what you described sounds like a simple "user oops".

Indeed. Chkrootkit was who I first turned to when this happened, but
nothing was infected.

> BTW if the user account is root, or has UID 0, you should go back and
> take all the advice of more experienced people: DON'T run as root. You
> can always "su" for anything that needs root privileges. If you have
> been running as root, there's a significant chance that you have trashed
> your install by now.

Hehe, the only command run as root on a regular basis is cdrecord,
mkisofs, ntpdate, and seldomly mplayer (for the VESA and SVGA features).

Thanks for your help,
Naota

-- 
naSota@tPampabay.rAr.cMom - > (remove capital letters: SPAM)


Relevant Pages

  • Re: Pan v Agent
    ... > checking the header of this article], and have finished putting it through ... Since it represents as something of an Agent clone, ... It seems to be peculiar to Pan, because the rest of the system ... I first opened Pan as root (since it wasn't on the startup menu, ...
    (alt.os.linux.suse)
  • Re: [OT] Weird "Get New Messages" on sci.electronics.design
    ... to uninstall it, delete EVERYTHING associated with Pan, and reinstall ... the original installation, and then only if they are identical (by MD5/SHA ... it's the files and/or directories in your home directory which are ...
    (sci.electronics.design)
  • Re: Entering special characters
    ... Well, Pan does! ... C-Cedille: รง ... God can change the byte order on the CPU, root can't. ...
    (comp.os.linux)
  • Re: Pan blew up.
    ... Move your .pan directory to DOTpan, ... God can change the byte order on the CPU, root can't. ...
    (alt.os.linux)
  • Re: [Pan] Signature is not working
    ... in my home directory and selected it to be used as my signature. ... pan 0.120 ... He needs to set the signature type to "Text file", ... path-line. ...
    (news.software.readers)