is this result of keylogger? am i hacked?
in [Debian]
|
From: Sergey Spiridonov on 21 Jul 2010 09:10 Hi I found yesterday that some files in /etc/ (/etc/shells and /etc/default/default/schroot) are changed. They contain data which I was typing on keyboard. Strange enough, this files are not overwritten, but contain data they should contain + somewhere in the middle or at the beginning of the file they contain something I typed in browser or in command line in X window system. This looks like that I am hacked and somebody try to get my passwords. But may be there is another explanation, like broken package? Or can somebody suggest, how can I check it? Reinstalling everything from scratch is a lot of work... System is squeeze, upgraded from lenny few weeks ago. -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/ud6jh7-ajc.ln1(a)legba.gamic.com
From: Jochen Schulz on 21 Jul 2010 09:50 Sergey Spiridonov: > > I found yesterday that some files in /etc/ (/etc/shells and > /etc/default/default/schroot) are changed. They contain data which I > was typing on keyboard. Strange enough, this files are not > overwritten, but contain data they should contain + somewhere in the > middle or at the beginning of the file they contain something I > typed in browser or in command line in X window system. One possible reason: your memory is corrupt. Run memtest86 to check that. J. -- In an ideal world I would cure poverty and go to the gym at least three days a week. [Agree] [Disagree] <http://www.slowlydownward.com/NODATA/data_enter2.html>
From: Sergey Spiridonov on 21 Jul 2010 11:50 Hi On 07/21/2010 03:40 PM, Jochen Schulz wrote: > One possible reason: your memory is corrupt. Run memtest86 to check > that. I think memory is not the reason, because some time ago I get broken /etc/shells file also on another machine, which is running Lenny. -- Best regards, Sergey Spiridonov -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/uocjh7-1ke.ln1(a)legba.gamic.com
From: Aaron Toponce on 21 Jul 2010 12:30 On 07/21/2010 06:39 AM, Sergey Spiridonov wrote: > I found yesterday that some files in /etc/ (/etc/shells and > /etc/default/default/schroot) are changed. They contain data which I was > typing on keyboard. Strange enough, this files are not overwritten, but > contain data they should contain + somewhere in the middle or at the > beginning of the file they contain something I typed in browser or in > command line in X window system. > > This looks like that I am hacked and somebody try to get my passwords. > But may be there is another explanation, like broken package? Or can > somebody suggest, how can I check it? Reinstalling everything from > scratch is a lot of work... > > System is squeeze, upgraded from lenny few weeks ago. Check 'last' and 'lastb' to see if there are any other logins or login attempts other than yourself. -- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
From: Chris Davies on 21 Jul 2010 13:30
Sergey Spiridonov <sergey.spiridonov(a)gmail.com> wrote: > I think memory is not the reason, because some time ago I get broken > /etc/shells file also on another machine, which is running Lenny. Broken memory. Broken kernel (possibly but not necessarily the filesystem driver). Hacked machine. Broken hardware. For breakage of something as significant as /etc/shells, I'd prioritise investigations in that order. Memtest86+ is a no-brainer, so let it test your machine. Are you using a kernel that's got known issues with whatever filesystem you are using for /etc? (Have you looked?) What was the outcome of your investigation into the previous situation? Chris -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/dpkjh7xetr.ln2(a)news.roaima.co.uk |