How would I know if my OS is compromised?
Posted
by
itsols
on Ask Ubuntu
See other posts from Ask Ubuntu
or by itsols
Published on 2012-10-11T14:06:17Z
Indexed on
2012/10/11
15:48 UTC
Read the original article
Hit count: 232
I had opened a php folder from a friend's web host. I run it on mine to fix some bugs.
Then I tried attaching the code to be emailed and GMAIL stated that the attachment was infected by a virus.
Now I'm afraid if my Apache or OS (12.04) is infected.
I checked the php files and found a base64 encoded set of code being 'eval'd at the top of each and every php file. Just reversing it (echo with htmlspecialchars) showed some clue that there were sockets in use and something to do with permissions. And also there were two websites referred having .ru extensions.
Now I'm afraid if my Ubuntu system is affected or compromised.
Any advice please!
Here's my second run of rkhunter with the options:
sudo rkhunter --check --rwo Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
Warning: Hidden directory found: /dev/.udev
Warning: Hidden file found: /dev/.initramfs: symbolic link to `/run/initramfs'
© Ask Ubuntu or respective owner