I have discovered that there has been unauthorized usage of a username/password of mine on a bulletin board. My concern is that it is from an overseas domain name and therefore is not someone I know. The password is unique to this board, so therefore it would be hard to guess or have someone use from another site. I contacted the site and they suggested it could be a "password harvesting trojan"

I have a SuSE 9.1 dual boot with XP. I have SP2, Virus Protection up to date, Adaware, etc running on the XP side. I did a scan and everything appears to check out on the XP box.

My question is - where do I go from here on the Linux side? I have installed all the suggested SuSE updates.

Any help would be appreciated.

RP

Well, for a start, I would install chkrootkit to see if your linux box has any rootkits installed.

Baldrick

I did that - and got a lot of "not installed" "not detected" etc. The only question I had about it was when it came to:

Searching for suspicious files and dirs, it may take a while...

usr/lib/qt3/doc/examples/demo/qasteroids/sprites/.pbm /usr/lib/qt3/doc/examples/toplevel/.ui /usr/lib/qt3/doc/examples/help
demo/.ui /usr/lib/perl5/5.8.3/i586-linux-thread-multi/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/aut
o/Tk/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/DBI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/
i586-linux-thread-multi/auto/PDA/Pilot/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Net/DNS/.pack
list /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/URI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux
-thread-multi/auto/XML/Parser/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/ycp/.packlist /usr/lib
/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/DCOP/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-mult
i/auto/Date/Manip/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/HTML/Parser/.packlist /usr/lib/per
l5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/HTML/Tagset/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-m
ulti/auto/Gaim/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Mail/SpamAssassin/.packlist /usr/lib/
perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/RRDp/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi
/auto/RRDs/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/ven
dor_perl/5.8.3/i586-linux-thread-multi/auto/Term/ReadLine/Gnu/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-m
ulti/auto/Text/Iconv/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Config/Crontab/.packlist /usr/l
ib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Digest/HMAC/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-th
read-multi/auto/Digest/SHA1/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Crypt/CBC/.packlist /usr
/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Crypt/DES/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-th
read-multi/auto/Crypt/Blowfish/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/UI/.packlist /u
sr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/Irc/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-
thread-multi/auto/Irssi/TextUI/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Irssi/.packlist /usr/
lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/SDL_perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thre
ad-multi/auto/Parse/RecDescent/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Inline/.packlist /usr
/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Locale/gettext/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Compress/Zlib/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/grepmail/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/CDDB_get/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/libwww-perl/.packlist /usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/TimeDate/.packlist/usr/lib/perl5/vendor_perl/5.8.3/i586-linux-thread-multi/auto/Xmms-Perl/.packlist /usr/lib/uemacs/.emacsrc.3.12 /usr/lib/uem

Is this normal? Is it supposed to list this long list? I have never used this program, so I was just wanting to make sure it wasn't showing me a list of compromised files or something in a cryptic way.

Since it doesn't appear that anything was comprised that this program checks for - where should I go from here? Somebody still got my password and I am not sure how.

No, that seems normal. If it does detect anything, it will throw up a warning. Maybe one of the security gurus can provide more assistance.

Baldrick

One other line I am not clear on:

Checking `sniffer'... eth0: PF_PACKET(/sbin/dhcpcd)


There was no comment listed after this - any ideas?

Thanks - I am new to Linux (but love it).

the sniffer on eth0 dhcp is normal

That is just the check for packet sniffers. It incorrectly identifed /bin/dhcpd as being a sniffer. This a very common false positive with chkrootkit and isn't anything to be concerned about. If you want to be very sure, you can verify the integrity of the package (with rpm -V <package_name>.

also there is at least one more chkrootkit alternative you can verify with both

You were more likely to have been compromised through the XP Operating system.
From there, anyone could have downloaded a program that can read a Linux file system,
if it is not encrypted....I would first to a complete checkout of your XP system.

Are you sure it is not a problem with the bulletin board and not your system? Is the bulletin board patched and up to date?
Could be a problem on their end?

I was thinking about the same I want my ext3 to be unreadable from windows because that way anyone could install hdd or boot cd or similar and open /root without a hintch how to crypt it?

P.S. ..Its important to note that if you have been compromised,
messing around with your computer probably won't help.
What you need is to go to a hospital immediately, and let them
take samples, in case the culprit can be identified through DNA.

This thread is over 5 months old now. Let's try to keep it on topic and refrain from posting unless you have something relevant to contribute.