LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 12-30-2013, 06:25 PM   #1
dave.h
LQ Newbie
 
Registered: Oct 2013
Location: AZ
Distribution: Slackware 14.1
Posts: 3

Rep: Reputation: Disabled
Infected Home Directory


Sorry this is my first post - so hopefully I'm not breaking with proper protocols.

Problem: Unknown folder (~1Gb) in my home directory with random alpha character name, and with files, again random alpha generated character names.

I am unable to remove/delete the directory and files, even when booting from live alt-distro. 'rm -R' just keeps running and the folder size doesn't change.

Any suggestions?

Thx!

dh
 
Old 12-30-2013, 06:31 PM   #2
fatalfrrog
Member
 
Registered: May 2011
Distribution: Slackware
Posts: 50

Rep: Reputation: 15
Is it growing? What are the permissions? Can you remove individual files? (rm -r might be crawling because it's inefficient with large directories)

I am also in AZ (Phoenix) running 14.1, maybe send me a PM and see if I can check it out.
 
Old 12-30-2013, 06:51 PM   #3
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,173

Rep: Reputation: 539Reputation: 539Reputation: 539Reputation: 539Reputation: 539Reputation: 539
If you have conclusively determined that you have been rooted I would re-install from known safe media (your Slackware 14.1 DVD). Did you find other evidence of a penetration? Are you running some type of firewall(software/hardware)? When you re-install make sure a good firewall is in place. Change all passwords. Monitor your credit card statements.
 
Old 12-30-2013, 07:19 PM   #4
qweasd
Member
 
Registered: May 2010
Posts: 439

Rep: Reputation: Disabled
Quote:
Originally Posted by dave.h View Post
I am unable to remove/delete the directory and files, even when booting from live alt-distro. 'rm -R' just keeps running and the folder size doesn't change.
Are you sure you got "infected"? A more prosaic (and IMHO, more likely) scenario is a borked filesystem, and the reason for that, in turn, may be a borked drive. Have you tried fscking the corresponding partition from a live CD? The result could be very illuminating.

If, on the other hand, you are more than 10% sure you got rooted, just go with what hitest says above. Do your best to determine the attack vector, then wipe and reinstall.
 
1 members found this post helpful.
Old 12-30-2013, 07:38 PM   #5
perbh
Member
 
Registered: May 2008
Location: Republic of Texas
Posts: 238

Rep: Reputation: 38
Could you give us the name of this 'top' folder? (it wouldn't - by any chance - start with '.g'?)
 
Old 12-30-2013, 08:00 PM   #6
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,203

Rep: Reputation: Disabled
Are you sure it isn't some type of filesystem corruption ?
 
Old 12-30-2013, 09:09 PM   #7
dave.h
LQ Newbie
 
Registered: Oct 2013
Location: AZ
Distribution: Slackware 14.1
Posts: 3

Original Poster
Rep: Reputation: Disabled
OK - I'll try to answer all your questions as best I can...

It's not growing - at least that I've noticed since last evening.
As far as permissions, nothing unusual - the owner is myself and the group 'users'.
path: /home/dave/JIodqkIaXJ

I'm not too concerned about security breaches at this point, but I'm unsure of the origin of this directory/files and the fact that I'm unable to easily remove it that I thought this might been best to post the issue.

As for whether I've been rooted?? That's why am I posting and was hoping for some guidance. I'll try scanning from a live CD for a start.

Thx.

dh
 
Old 12-30-2013, 09:16 PM   #8
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,173

Rep: Reputation: 539Reputation: 539Reputation: 539Reputation: 539Reputation: 539Reputation: 539
Quote:
Originally Posted by dave.h View Post
As for whether I've been rooted?? That's why am I posting and was hoping for some guidance. I'll try scanning from a live CD for a start.

Thx.

dh
You could try to scan for root kits. The rkhunter utility is something you could use to see if you have been compromised. You can install rkhunter from the good people at slackbuilds.org. That may be a place to start.
 
Old 12-30-2013, 09:31 PM   #9
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, FreeBSD 10.0
Posts: 3,218
Blog Entries: 15

Rep: Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833
rkhunter and chkrootkit both should be able to eliminate any rootkits in your system.

You should also consider grabbing a free Linux antivirus scanner to perform a follow up scan as most of these can now accurately detect malware and rootkits.

BitDefender Scanner for UNICES is a good free one as is the SBo available ClamAV. BitDefender even has a rescue disk but I'm not sure if it'll work on Linux as it's mainly geared for Windows. If anything is lurking in your system they should detect it. Also, check your cron jobs, rc startup scripts, and any other autorun utility scripts to make sure nothing malicious has been inserted into the scripts to run without provocation.

If you need a firewall grab the iptables script from AlienBOB's website and drop it in with basic ports only programmed in. Try to limit access outbound on your network also.

You should also consider using a program like Samhain as well for HIDS.

Reinstallation should only be a last resort technique unless the malware has circumvented your kernel and other core software packages.

Last edited by ReaperX7; 12-30-2013 at 09:34 PM.
 
Old 12-30-2013, 10:15 PM   #10
fatalfrrog
Member
 
Registered: May 2011
Distribution: Slackware
Posts: 50

Rep: Reputation: 15
Quote:
Originally Posted by ReaperX7 View Post
Reinstallation should only be a last resort technique unless the malware has circumvented your kernel and other core software packages.

A reinstall should be a first-restort technique! In the event of a root-level compromise, you must assume you cannot get rid of it 100%. Wipe and restore from the last known good backup!
 
1 members found this post helpful.
Old 12-30-2013, 10:40 PM   #11
dave.h
LQ Newbie
 
Registered: Oct 2013
Location: AZ
Distribution: Slackware 14.1
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks ReaperX7!

As for the scan with both rkhunter and chkrootkit. I had a couple of odd file warnings with the rkhunter (/usr/bin/adduser, ldd, whatis) and a warning for inetd services, and for the chkrookit 'nothing found' or 'not infected'...

Clamav is installed, but I will try scanning from a live CD as well. This may take some time given the directory in question in nearly infinite.
My system is on a laptop so I am using AlienBob's easy firewall already and mostly from behind a my home ww-drt router. I only stop it when dealing with lan routing issues.

I'll try Samhain and HIDS as well... and will post the results.

I agree - a complete re-install is a last resort. I'd prefer to understand the root of the problem first.

dh
 
Old 12-30-2013, 10:45 PM   #12
jon lee
Member
 
Registered: Jul 2013
Posts: 81

Rep: Reputation: Disabled
I would hit tab on lilo and enter init=/bin/sh rw
Then I would rm -rf said directory

Actually a thorough cleansing once in awhile can be useful without going through a full reinstall..

cd /home/$user
rm -rf *
rm -rf .*

Same with /root, /tmp, /var/tmp, /usr/tmp

Edit: Oh, it'll make it easier if you also do a
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
export $PATH

(first)

Last edited by jon lee; 12-30-2013 at 10:55 PM.
 
Old 12-30-2013, 11:43 PM   #13
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 804

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by jon lee View Post
Actually a thorough cleansing once in awhile can be useful without going through a full reinstall..

cd /home/$user
rm -rf *
rm -rf .*

Same with /root, /tmp, /var/tmp, /usr/tmp
Did you really mean to suggest this? Clearing /tmp and possibly even /var/tmp occasionally, ok. But I hope no one takes your advice on removing all files in their home directory. That is reckless thing to suggest, except perhaps to people who only use their login account for browsing the internet, and never save anything important in their home directory (like photos, personal or financial documents, email, ssh keys, source code, shell scripts, config files, etc).
 
3 members found this post helpful.
Old 12-31-2013, 01:07 AM   #14
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, FreeBSD 10.0
Posts: 3,218
Blog Entries: 15

Rep: Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833Reputation: 833
Quote:
Originally Posted by fatalfrrog View Post
A reinstall should be a first-restort technique! In the event of a root-level compromise, you must assume you cannot get rid of it 100%. Wipe and restore from the last known good backup!
That might have been the case 10 years ago, but unless you are certain it is a 100% root-kernel compromise, reinstalling is literally wasting time and resources. It's best to start with damage control and cleanup first, then assess the situation as to how to proceed.
 
1 members found this post helpful.
Old 12-31-2013, 01:13 AM   #15
astrogeek
Senior Member
 
Registered: Oct 2008
Distribution: Slackware: 12.1, 13.1, 14.1, 64-14.1, -current, FreeBSD-10
Posts: 1,885

Rep: Reputation: 661Reputation: 661Reputation: 661Reputation: 661Reputation: 661Reputation: 661
!!!YIKES!!!

Quote:
Originally Posted by jon lee View Post
I would hit tab on lilo and enter init=/bin/sh rw
Then I would rm -rf said directory

Actually a thorough cleansing once in awhile can be useful without going through a full reinstall..

cd /home/$user
rm -rf *
rm -rf .*

Same with /root, /tmp, /var/tmp, /usr/tmp

Edit: Oh, it'll make it easier if you also do a
PATH="/bin:/sbin:/usr/bin:/usr/sbin"
export $PATH

(first)
I say again - !!!YIKES!!!

I do not doubt that someone told you this when you were a noob, we all get unsound advice! But you should seriously rethink this and never recommend it to some unsuspecting and trusting soul looking for help!

!!!YIKES!!!
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] NIS Client error: Could not chdir to home directory /home/chacha: No such file or dir gauravgoel1989 Linux - Server 8 09-20-2013 04:42 PM
User does int getting home directory in root home in ubuntu 10.04 lucid lynx sunrised24 Linux - Server 2 03-07-2012 09:21 AM
"Home directory already exists. Please enter another home directory path." Daravon Ubuntu 2 02-15-2009 10:26 PM
contents of 'home' directory found at sda5: mounted as /home, and also on sda6:/home leswatson Linux - Newbie 4 04-18-2008 04:02 PM
Apache Root/Home Directory and setting up FTP for home directories? Mankind75 Linux - Newbie 6 07-23-2006 02:37 PM


All times are GMT -5. The time now is 12:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration