How would I know if my OS is compromised?

Posted by itsols on Ask Ubuntu See other posts from Ask Ubuntu or by itsols
Published on 2012-10-11T14:06:17Z Indexed on 2012/10/11 15:48 UTC
Read the original article Hit count: 232

Filed under:
|
|
|

I had opened a php folder from a friend's web host. I run it on mine to fix some bugs.

Then I tried attaching the code to be emailed and GMAIL stated that the attachment was infected by a virus.

Now I'm afraid if my Apache or OS (12.04) is infected.

I checked the php files and found a base64 encoded set of code being 'eval'd at the top of each and every php file. Just reversing it (echo with htmlspecialchars) showed some clue that there were sockets in use and something to do with permissions. And also there were two websites referred having .ru extensions.

Now I'm afraid if my Ubuntu system is affected or compromised.

Any advice please!

Here's my second run of rkhunter with the options:

sudo rkhunter --check --rwo Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text

Warning: Hidden directory found: /dev/.udev

Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'

© Ask Ubuntu or respective owner

Related posts about security

Related posts about apache