so I found that one of my VM hosts seems to have been compromised in some way; I've shut it down, isolated it, found a few odd things like gibberish comments and odd hostnames that I don't recognise pointed back to 127.0.0.1 in /etc/hosts. I tried TRD and it seems mildly useful, but has more of a windowsy feel for what it wants to be able to fix. does anyone know of something with more linux rootkit detection as a focus? I could just rebuild this machine, but I'd like to know for sure what all/how bad this was broken so I can avoid it for next time.
thanks.
zep wrote:
so I found that one of my VM hosts seems to have been compromised in some way; I've shut it down, isolated it, found a few odd things like gibberish comments and odd hostnames that I don't recognise pointed back to 127.0.0.1 in /etc/hosts. I tried TRD and it seems mildly useful, but has more of a windowsy feel for what it wants to be able to fix. does anyone know of something with more linux rootkit detection as a focus? I could just rebuild this machine, but I'd like to know for sure what all/how bad this was broken so I can avoid it for next time.
Don't know TRD. Rootkits, though, we use rkhunter here.
And hostnames pointed to 127.0.0.1... I have a ton of them. #1 on the list that points to that is, of course, doubleclick.com (and .net). It's a nice way to get rid of ads, and speed up page loading.... Check, for example, http://someonewhocares.org/hosts/
mark, who remembers the good old days of usenet
zep wrote:
so I found that one of my VM hosts seems to have been compromised in some way; I've shut it down, isolated it, found a few odd things like gibberish comments and odd hostnames that I don't recognise pointed back to 127.0.0.1 in /etc/hosts. I tried TRD and it seems mildly useful, but has more of a windowsy feel for what it wants to be able to fix. does anyone know of something with more linux rootkit detection as a focus? I could just rebuild this machine, but I'd like to know for sure what all/how bad this was broken so I can avoid it for next time.
Ok, I *do* have to ask: Toyota Racing Development? That's #1 I find on googling TRD.
mark
On 04/16/2014 11:12 AM, m.roth@5-cent.us wrote:
zep wrote:
to 127.0.0.1 in /etc/hosts. I tried TRD and it seems mildly useful, but has more of a windowsy feel for what it wants to be able to fix. does
Ok, I *do* have to ask: Toyota Racing Development? That's #1 I find on googling TRD.
mark
Trinity Rescue Disc :)
On 2014-04-16, zep zgreenfelder@gmail.com wrote:
On 04/16/2014 11:12 AM, m.roth@5-cent.us wrote:
zep wrote:
Ok, I *do* have to ask: Toyota Racing Development? That's #1 I find on googling TRD.
Trinity Rescue Disc :)
I always thought it was TRK: Trinity Rescue Kit.
http://trinityhome.org/Home/index.php?wpid=1&front_id=12
--keith
On 04/16/2014 03:36 PM, Keith Keller wrote:
On 2014-04-16, zep zgreenfelder@gmail.com wrote:
On 04/16/2014 11:12 AM, m.roth@5-cent.us wrote:
zep wrote:
Ok, I *do* have to ask: Toyota Racing Development? That's #1 I find on googling TRD.
Trinity Rescue Disc :)
I always thought it was TRK: Trinity Rescue Kit.
http://trinityhome.org/Home/index.php?wpid=1&front_id=12
--keith
I stand corrected; I was operating off memory, thought I'd searched for and found it via that name. understandable, since TRD is one vowel off from a very unfortunate product name that nobody would really want to be associated with.
On Wed, Apr 16, 2014 at 9:57 AM, zep zgreenfelder@gmail.com wrote:
so I found that one of my VM hosts seems to have been compromised in some way; I've shut it down, isolated it, found a few odd things like gibberish comments and odd hostnames that I don't recognise pointed back to 127.0.0.1 in /etc/hosts. I tried TRD and it seems mildly useful, but has more of a windowsy feel for what it wants to be able to fix. does anyone know of something with more linux rootkit detection as a focus? I could just rebuild this machine, but I'd like to know for sure what all/how bad this was broken so I can avoid it for next time.
Brute force sometimes works... If you have a backup from before the issue, restore it somewhere and diff -r (or maybe rsync -av --delete if it is remote) to find what changed.
-
Keith Keller -
Les Mikesell -
m.roth@5-cent.us -
zep