[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Found file in /dev: "h"



Hi,

> >> I found  a normal file in /dev: "h" on one of my servers:
> >> It contains the following text between binary code:
> >> Invalid partition table^@No operating system^@Error loading
> >> operating system

This should not be there. It might be part of a rootkit hooking before
kernel-loading.

> The server has an open ssh-port, available from internet via dyndns.org.
Using
> DSL with t-online.de.

Not only available from dyndns.org. You can connect the IP always from
everywhere.
The portscan could be faked, the packet log may be misleading.

1. Remove the file, better move it to another location.
2. Reboot. If the system does not start -> it was hacked, this file was an
active chainloader
3. load chkrootkit, do a make sense, check the system. If possible use /bin
from CD or another machine (NFS, Samba, whatever).
4. If you find anything confirmed (an identified rootkit), shutdown,
reinstall after formatting OR (the dangerous way)
5. Install another machine with same distribution, same patchlevel, and
tripwire the disk against it. Replace changed files manually. This may
result in a unusuable system, or you miss some infected files.

Ciao,
Dieter


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here