Search Results

Search found 68 results on 3 pages for 'rootkit'.

Page 2/3 | < Previous Page | 1 2 3  | Next Page >

  • Putting a whole linux server under source control (git)

    - by Tobias Hertkorn
    I am thinking about putting my whole linux server under version control using git. The reason behind it being that that might be the easiest way to detect malicious modifications/rootkits. All I would naively think is necessary to check the integrity of the system: Mount the linux partition every week or so using a rescue system, check if the git repository is still untempered and then issue a git status to detect any changes made to the system. Apart from the obvious waste in disk space, are there any other negative side-effects? Is it a totally crazy idea? Is it even a secure way to check against rootkits since I most likely would have to at least exclude /dev and /proc ?

    Read the article

  • Entries in `/etc/inittab` below last line - possible hack? [closed]

    - by Danijel
    Possible Duplicate: My server's been hacked EMERGENCY My Linux machine has been hacked lately. There are a few entires in /etc/inittab below the #end of /etc/inittab Something like: #Loading standard ttys 0:2345:once:/usr/sbin/ttyload I also have serveral of the following lines: 2:2345:respawn:/sbin/mingetty tty2 3:2345:respawn:/sbin/mingetty tty3 . . . I know that my /usr/sbin/ttyload has been hacked, and I have removed it, but I don't know if I need this is inittab, nor whether I had ttyload before. Is this file common? Should I remove this line?

    Read the article

  • My webcam just came on "out of the blue"

    - by AngryHacker
    I have a Microsoft LifeCam HD sitting atop my monitor. Today, completely out of the blue, its light came on -- I was simply browsing the web (in Chrome) when it happened. After about 5 minutes the webcam turned off. Naturally, I immediately suspected my ex-wife (when in doubt, I always suspect her), but she isn't computer savvy enough. I looked over the process list and didn't see anything suspicious. I am running a couple of open source projects and free apps (e.g., greenshot, powermenu, supertray), but I've had them for years. Autoruns reports nothing suspicious in the startup and neither does Windows Defender. Anyways, what could it be? What should I look at next?

    Read the article

  • Not All “Viruses” Are Viruses: 10 Malware Terms Explained

    - by Chris Hoffman
    Most people seem to call every type of malware a “virus”, but that isn’t technically accurate. You’ve probably heard of many more terms beyond virus: malware, worm, Trojan, rootkit, keylogger, spyware, and more. But what do all these terms mean? These terms aren’t just used by geeks. They make their way into even mainstream news stories about the latest web security problems and tech scares. Understanding them will help you understand the dangers your\ hear about. Malware The word “malware” is short for “malicious software.” Many people use the word “virus” to indicate any type of harmful software, but a virus is actually just a specific type of malware. The word “malware” encompasses all harmful software, including all the ones listed below. Virus Let’s start with viruses. A virus is a type of malware that copies itself by infecting other files,  just as viruses in the real world infect biological cells and use those biological cells to reproduce copies of themselves. A virus can do many different things — watch in the background and steal your passwords, display advertisements, or just crash your computer — but the key thing that makes it a virus is how it spreads. When you run a virus, it will infect programs on your computer. When you run the program on another computer, the virus will infect programs on that computer, and so on. For example, a virus might infect program files on a USB stick. When the programs on that USB stick are run on another computer, the virus runs on the other computer and infects more program files. The virus will continue to spread in this way. Worm A worm is similar to a virus, but it spreads a different way. Rather than infecting files and relying on human activity to move those files around and run them on different systems, a worm spreads over computer networks on its own accord. For example, the Blaster and Sasser worms spread very quickly in the days of Windows XP because Windows XP did not come properly secured and exposed system services to the Internet. The worm accessed these system services over the Internet, exploited a vulnerability, and infected the computer. The worm then used the new infected computer to continue replicating itself. Such worms are less common now that Windows is properly firewalled by default, but worms can also spread in other ways — for example, by mass-emailing themselves to every email address in an effected user’s address book. Like a virus, a worm can do any number of other harmful things once it infects a computer. The key thing that makes it a worm is simply how it spreads copies of itself. Trojan (or Trojan Horse) A Trojan horse, or Trojan, is a type of malware that disguises itself as a legitimate file. When you download and run the program, the Trojan horse will run in the background, allowing third-parties to access your computer. Trojans can do this for any number of reasons — to monitor activity on your computer, to join your computer to a botnet. Trojans may also be used to open the floodgates and download many other types of malware onto your computer. The key thing that makes this type of malware a Trojan is how it arrives. It pretends to be a useful program and, when run, it hides in the background and gives malicious people access to your computer. It isn’t obsessed with copying itself into other files or spreading over the network, as viruses and worms are. For example, a piece of pirated software on an unscrupulous website may actually contain a Trojan. Spyware Spyware is a type of malicious software that spies on you without your knowledge. It collects a variety of different types of data, depending on the piece of spyware. Different types of malware can function as spyware — there may be malicious spyware included in Trojans that spies on your keystrokes to steal financial data, for example. More “legitimate” spyware may be bundled along with free software and simply monitor your web browsing habits, uploading this data to advertising servers so the software’s creator can make money from selling their knowledge of your activities. Adware Adware often comes along with spyware. It’s any type of software that displays advertising on your computer. Programs that display advertisements inside the program itself aren’t generally classified as malware. The kind of “adware” that’s particularly malicious is the kind that abuses its access to your system to display ads when it shouldn’t. For example, a piece of harmful adware may cause pop-up advertisements to appear on your computer when you’re not doing anything else. Or, adware may inject additional advertising into other web pages as you browse the web. Adware is often combined with spyware — a piece of malware may monitor your browsing habits and use them to serve you more targeted ads. Adware is more “socially acceptable” than other types of malware on Windows and you may see adware bundled with legitimate programs. For example, some people consider the Ask Toolbar included with Oracle’s Java software adware. Keylogger A keylogger is a type of malware that runs in the background, recording every key stroke you make. These keystrokes can include usernames, passwords, credit card numbers, and other sensitive data. The keylogger then, most likely, uploads these keystrokes to a malicious server, where it can be analyzed and people can pick out the useful passwords and credit card numbers. Other types of malware can act as keyloggers. A virus, worm, or Trojan may function as a keylogger, for example. Keyloggers may also be installed for monitoring purposes by businesses or even jealous spouses. Botnet, Bot A botnet is a large network of computers that are under the botnet creator’s control. Each computer functions as a “bot” because it’s infected with a specific piece of malware. Once the bot software infects the computer, ir will connect to some sort of control server and wait for instructions from the botnet’s creator. For example, a botnet may be used to initiate a DDoS (distributed denial of service) attack. Every computer in the botnet will be told to bombard a specific website or server with requests at once, and such millions or requests can cause a server to become unresponsive or crash. Botnet creators may sell access to their botnets, allowing other malicious individuals to use large botnets to do their dirty work. Rootkit A rootkit is a type of malware designed to burrow deep into your computer, avoiding detection by security programs and users. For example, a rootkit might load before most of Windows, burying itself deep into the system and modifying system functions so that security programs can’t detect it. A rootkit might hide itself completely, preventing itself from showing up in the Windows task manager. The key thing that makes a type of malware a rootkit is that it’s stealthy and focused on hiding itself once it arrives. Ransomware Ransomware is a fairly new type of malware. It holds your computer or files hostage and demands a ransom payment. Some ransomware may simply pop up a box asking for money before you can continue using your computer. Such prompts are easily defeated with antivirus software. More harmful malware like CryptoLocker literally encrypts your files and demands a payment before you can access them. Such types of malware are dangerous, especially if you don’t have backups. Most malware these days is produced for profit, and ransomware is a good example of that. Ransomware doesn’t want to crash your computer and delete your files just to cause you trouble. It wants to take something hostage and get a quick payment from you. So why is it called “antivirus software,” anyway? Well, most people continue to consider the word “virus” synonymous with malware as a whole. Antivirus software doesn’t just protect against viruses, but against all types of malware. It may be more accurately referred to as “antimalware” or “security” software. Image Credit: Marcelo Alves on Flickr, Tama Leaver on Flickr, Szilard Mihaly on Flickr     

    Read the article

  • What tool or scripts do you use to audit a Linux box?

    - by Sharjeel Sayed
    I use the following tools for my auditing needs A) System Auditing and Hardening (One time) 1) Linux Security Auditing Tool (Security centric,Text based output ) 2) Dmidecode ( Retrieves info from BIOS ) 3) Systeminfo ( Generates a nice html report) 4) Syssumm (Inactive since Oct 2000) 5) Rootkit Hunter (Does a basic config check in addition to rootkit checks) 6) CIS benchmarks 7) Bastille ( Interactive hardening and a security scoring tool) B) Automatic Auditing (as a cron job or a service) 1) Logwatch 2) Psad C) Remote Auditing 1) Nmap (Port scanning) 2) Nessus ( Remote Vulnerability check) D) Wikipedia 1) System profiler Any other tools/scripts which you can recommend?

    Read the article

  • ps aux as non-root doesn't show all processes

    - by JMW
    hi, i'm using an ubuntu 10.04 server... when i run ps aux as root i see all processes when i run ps aux as nonroot i see JUST the processes of the current user after a bit of research i found the following solution: root@m85:~# ls -al /proc/ total 4 dr-xr-xr-x 122 root root 0 2010-12-23 14:08 . drwxr-xr-x 22 root root 4096 2010-12-23 13:30 .. dr-x------ 6 root root 0 2010-12-23 14:08 1 dr-x------ 6 root root 0 2010-12-23 14:08 10 dr-x------ 6 root root 0 2010-12-23 14:08 1212 dr-x------ 6 root root 0 2010-12-23 14:08 1227 dr-x------ 6 root root 0 2010-12-23 14:08 1242 dr-x------ 6 zabbix zabbix 0 2010-12-24 23:52 12747 [...] my first idea was, that it got mounted in a weird way: /etc/fstab is ok and it doesn't seem to be mounted in an weird way... my second idea was, that there might be a rootkit: but it's not a rootkit... rkhunter tells me, that there is no rootkit installed... i don't know if it is since the machine got installed or came with an update. i've just installed zabbix-agent on the machine and realized, that it didn't work properly... What could have caused such strange permissions (500) and how can i set it back to an normal level (555) ? Crazy, i've never seen something like that... thanks in advance for any help and merry christmas :) see you

    Read the article

  • WesternDigital SmartWare - still problematic?

    - by FrustratedWithFormsDesigner
    I've seen a lot of bad press on WD SmartWare (I think it comes on most WD backup devices now, such as their MyBook product line), mostly related to how it's impossible to remove properly or replace. There are allegations (I couldn't tell how true they were) that it has/is a rootkit, as well. Most of the articles are a couple of years old, so I'm wondering if SmartWare is still just as problematic as it was. Does it still have a nasty rootkit reputation and should I just stick with the Windows 7 built-in backup system, or is the current SmartWare generation improved and better behaved?

    Read the article

  • How to Use An Antivirus Boot Disc or USB Drive to Ensure Your Computer is Clean

    - by Chris Hoffman
    If your computer is infected with malware, running an antivirus within Windows may not be enough to remove it. If your computer has a rootkit, the malware may be able to hide itself from your antivirus software. This is where bootable antivirus solutions come in. They can clean malware from outside the infected Windows system, so the malware won’t be running and interfering with the clean-up process. The Problem With Cleaning Up Malware From Within Windows Standard antivirus software runs within Windows. If your computer is infected with malware, the antivirus software will have to do battle with the malware. Antivirus software will try to stop the malware and remove it, while the malware will attempt to defend itself and shut down the antivirus. For really nasty malware, your antivirus software may not be able to fully remove it from within Windows. Rootkits, a type of malware that hides itself, can be even trickier. A rootkit could load at boot time before other Windows components and prevent Windows from seeing it, hide its processes from the task manager, and even trick antivirus applications into believing that the rootkit isn’t running. The problem here is that the malware and antivirus are both running on the computer at the same time. The antivirus is attempting to fight the malware on its home turf — the malware can put up a fight. Why You Should Use an Antivirus Boot Disc Antivirus boot discs deal with this by approaching the malware from outside Windows. You boot your computer from a CD or USB drive containing the antivirus and it loads a specialized operating system from the disc. Even if your Windows installation is completely infected with malware, the special operating system won’t have any malware running within it. This means the antivirus program can work on the Windows installation from outside it. The malware won’t be running while the antivirus tries to remove it, so the antivirus can methodically locate and remove the harmful software without it interfering. Any rootkits won’t be able to set up the tricks they use at Windows boot time to hide themselves from the rest o the operating system. The antivirus will be able to see the rootkits and remove them. These tools are often referred to as “rescue disks.” They’re meant to be used when you need to rescue a hopelessly infected system. Bootable Antivirus Options As with any type of antivirus software, you have quite a few options. Many antivirus companies offer bootable antivirus systems based on their antivirus software. These tools are generally free, even when they’re offered by companies that specialized in paid antivirus solutions. Here are a few good options: avast! Rescue Disk – We like avast! for offering a capable free antivirus with good detection rates in independent tests. avast! now offers the ability to create an antivirus boot disc or USB drive. Just navigate to the Tools -> Rescue Disk option in the avast! desktop application to create bootable media. BitDefender Rescue CD – BitDefender always seems to receive good scores in independent tests, and the BitDefender Rescue CD offers the same antivirus engine in the form of a bootable disc. Kaspersky Rescue Disk – Kaspersky also receives good scores in independent tests and offers its own antivirus boot disc. These are just a handful of options. If you prefer another antivirus for some reason — Comodo, Norton, Avira, ESET, or almost any other antivirus product — you’ll probably find that it offers its own system rescue disk. How to Use an Antivirus Boot Disc Using an antivirus boot disc or USB drive is actually pretty simple. You’ll just need to find the antivirus boot disc you want to use and burn it to disc or install it on a USB drive. You can do this part on any computer, so you can create antivirus boot media on a clean computer and then take it to an infected computer. Insert the boot media into the infected computer and then reboot. The computer should boot from the removable media and load the secure antivirus environment. (If it doesn’t, you may need to change the boot order in your BIOS or UEFI firmware.) You can then follow the instructions on your screen to scan your Windows system for malware and remove it. No malware will be running in the background while you do this. Antivirus boot discs are useful because they allow you to detect and clean malware infections from outside an infected operating system. If the operating system is severely infected, it may not be possible to remove — or even detect — all the malware from within it. Image Credit: aussiegall on Flickr     

    Read the article

  • Stuxnet - how it infects

    - by Kit Ong
    Except from the CNET article.http://news.cnet.com/8301-13772_3-57413329-52/stuxnet-delivered-to-iranian-nuclear-plant-on-thumb-drive/?part=propeller&subj=news&tag=linkvThe Stuxnet worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files, ending in ".lnk," according to...[the] Microsoft Malware Protection Center....Merely browsing to the removable media drive using an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons. The worm infects USB drives or other removable storage devices that are subsequently connected to the infected machine. Those USB drives then infect other machines much like the common cold is spread by infected people sneezing into their hands and then touching door knobs that others are handling.The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan--RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos.... It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens' Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system's Microsoft SQL database. The Stuxnet worm propagates by exploiting a hole in all versions of Windows in the code that processes shortcut files, ending in ".lnk," according to...[the] Microsoft Malware Protection Center....Merely browsing to the removable media drive using an application that displays shortcut icons, such as Windows Explorer, will run the malware without the user clicking on the icons. The worm infects USB drives or other removable storage devices that are subsequently connected to the infected machine. Those USB drives then infect other machines much like the common cold is spread by infected people sneezing into their hands and then touching door knobs that others are handling.The malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Taiwanese chip manufacturers that are based in the same industrial complex in Taiwan--RealTek and JMicron, according to Chester Wisniewski, senior security advisor at Sophos.... It is unclear how the digital signatures were acquired by the attacker, but experts believe they were stolen and that the companies were not involved.Once the machine is infected, a Trojan looks to see if the computer it lands on is running Siemens' Simatic WinCC software. The malware then automatically uses a default password that is hard-coded into the software to access the control system's Microsoft SQL database.

    Read the article

  • Browser redirection

    - by Xiad
    I am always getting redirecting to this http://search.tedata.net tedata is my internet provider . I called them they say they can't help unless I have windows but I don't want to go back to windows I tried rootkit hunter but it didn't work either I don't know what is wrong , how could this keep coming up even after formatting my hard ? is it possible that the ubuntu version I have downloaded from the website is defective , the problem didn't appear with linux mint or xubuntu it only appeared when I replaced unity with cinnamon but now it appears right away after clean installation of ubuntu 12.04

    Read the article

  • Comment se débarrasser du nouveau botnet "pratiquement indestructible" ? Les conseils de Microsoft et de Symantec

    Comment se débarrasser du nouveau botnet "pratiquement indestructible" ? Les conseils de Microsoft et de Symantec Microsoft met en garde contre Popureb, un nouveau Rootkit sophistiqué, capable d'écraser le MBR (Master Boot Record) et particulièrement difficile, voire impossible à détecter. Le centre de protection de Microsoft (Microsoft Malware Portection Center) affirme dans un billet de blog que si le système d'exploitation d'un utilisateur est infecté par le Trojan Win32/Popureb.E, il devra rétablir le MBR, et utiliser ensuite le CD de restauration pour restaurer son système à un état antérieur à l'infection.

    Read the article

  • Digitally Signed Malware on the Rise

    Brought to the forefront in 2010 with Stuxnet, the infamous worm aimed at sabotaging industrial infrastructure, the use of stolen digital certificates is relatively new. Stuxnet's creators digitally signed its rootkit components with stolen certificates from JMicron and RealTek, a pair of semiconductor manufacturers. The worm's existence and complexity caught the security community by surprise. In fact, many researchers predicted that malware creators would begin adopting the same technique to work around driver signature enforcement employed by Microsoft in its 64-bit versions of Windows V...

    Read the article

  • Is this a false positive by Avast?

    - by Celeritas
    Avast keeps detecting the rootkit Win32:Evo-gen. I select to delete it, but when I restart the computer the message pops up again. The location is C:\Program Files(x86)\ASUS\AsusFanControlService\1.00.17\AsusFanControlService.exe this somewhat makes sense because I do have an Asus motherboard. Should I choose "ignore" and remember the selection or is it likely I do have a virus that is resisting deletion?

    Read the article

  • Dissect System Restore snapshots

    - by Unsigned
    Is there any way to map the A000????.??? filenames in the System Volume Information to their original names, without restoring them? The reason I ask is that several files in one user's System Volume Information RP1 were infected by a rootkit. Although they've been removed, I'd like to be able to figure out what they were originally. A0001253.sys and A0001211.sys are not very helpful names. :) It happened on two systems, one XP SP2, the other XP SP3.

    Read the article

  • Crisis : le premier malware à cibler les machines virtuelles sous Windows

    Crisis : le premier malware à cibler les machines virtuelles Sous Windows Préalablement connu sous le nom Morcut, "Crisis" est un rootkit malicieux qui infecte les systèmes d'exploitation Windows et Mac OS X. Il y arrive par l'utilisation d'un faux installeur d'Adobe Flash Player dissimulé dans une archive JAR numériquement signé par VeriSign. Cette dernière contient deux exécutables, un pour Mac OS X et un autre pour Windows. Selon le dernier rapport de Symantec Security, le logiciel malveillant se propage dans l'environnement Windows par l'utilisation du mécanisme d'autorun des disques durs amovibles, et les composants d'installation dans les dispositifs Windows Mobile. Entr...

    Read the article

  • Finder conceals network connections from lsof?

    - by jdizzle
    If I use the Finder's Go-Connect to Server and connect to an smb/afs, I can see the connection in netstat. But I can't see it in lsof. I also use LittleSnitch, and it fails to detect outbound connections from the Finder. Why is this? Is there some sort of "Apple rootkit" that i'm not aware of?

    Read the article

  • Why Chrome modifies IDT?

    - by muslon
    Chrome 4.0.266.0, Rootkit Unhooker 3.7.300.503. Iff Chrome is running, RkUnhooker shows in Code Hooks: IDT--Int 0x000000B1 0x863DDDD4 - [unknown_irp_handler] IDT modification Why does Chrome modifies IDT?

    Read the article

  • Windows 7 BSOD - ntoskrnl?

    - by Ken Mason
    2 new HP Pavilion notebooks with 7 Home Premium pre-loaded with Norton. My first act was to use the Norton Removal Tool and load ZoneAlarm free and AVG Free. Frequent random BSOD's ever since...I found my way into Debug and have had various reports regarding ntoskrnl, depending on the status of symbols. It's been many years since I played with (DOS 3.x) debug, so this has been a considerable fumble. Excerpts follow and any insights would be greatly appreciated, as I am not a developer: ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. MODULE_NAME: nt FAULTING_MODULE: fffff8000305d000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cfeb BUGCHECK_STR: 0x7f_8 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from fffff800030ccb69 to fffff800030cd600 STACK_TEXT: fffff80004d6fd28 fffff800030ccb69 : 000000000000007f 0000000000000008 0000000080050033 00000000000006f8 : nt+0x70600 fffff80004d6fd30 000000000000007f : 0000000000000008 0000000080050033 00000000000006f8 fffff80003095e58 : nt+0x6fb69 fffff80004d6fd38 0000000000000008 : 0000000080050033 00000000000006f8 fffff80003095e58 0000000000000000 : 0x7f fffff80004d6fd40 0000000080050033 : 00000000000006f8 fffff80003095e58 0000000000000000 0000000000000000 : 0x8 fffff80004d6fd48 00000000000006f8 : fffff80003095e58 0000000000000000 0000000000000000 0000000000000000 : 0x80050033 fffff80004d6fd50 fffff80003095e58 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x6f8 fffff80004d6fd58 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt+0x38e58 STACK_COMMAND: kb FOLLOWUP_IP: nt+70600 fffff800`030cd600 48894c2408 mov qword ptr [rsp+8],rcx SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt+70600 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: ntoskrnl.exe BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner ...................................................................... 0: kd !lmi nt Loaded Module Info: [nt] Module: ntkrnlmp Base Address: fffff8000305d000 Image Name: ntkrnlmp.exe Machine Type: 34404 (X64) Time Stamp: 4b88cfeb Sat Feb 27 00:55:23 2010 Size: 5dc000 CheckSum: 545094 Characteristics: 22 perf Debug Data Dirs: Type Size VA Pointer CODEVIEW 25, 19c65c, 19bc5c RSDS - GUID: {7E9A3CAB-6268-45DE-8E10-816E3080A3B7} Age: 2, Pdb: ntkrnlmp.pdb CLSID 4, 19c658, 19bc58 [Data not mapped] Image Type: FILE - Image read successfully from debugger. ntkrnlmp.exe Symbol Type: PDB - Symbols loaded successfully from symbol server. d:\debugsymbols\ntkrnlmp.pdb\7E9A3CAB626845DE8E10816E3080A3B72\ntkrnlmp.pdb Load Report: public symbols , not source indexed d:\debugsymbols\ntkrnlmp.pdb\7E9A3CAB626845DE8E10816E3080A3B72\ntkrnlmp.pdb 0: kd !analyze -v * Bugcheck Analysis * * UNEXPECTED_KERNEL_MODE_TRAP (7f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a portion of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT Arg2: 0000000080050033 Arg3: 00000000000006f8 Arg4: fffff80003095e58 Debugging Details: BUGCHECK_STR: 0x7f_8 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT PROCESS_NAME: System CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from fffff800030ccb69 to fffff800030cd600 STACK_TEXT: fffff80004d6fd28 fffff800030ccb69 : 000000000000007f 0000000000000008 0000000080050033 00000000000006f8 : nt!KeBugCheckEx fffff80004d6fd30 fffff800030cb032 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69 fffff80004d6fe70 fffff80003095e58 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiDoubleFaultAbort+0xb2 fffff880089efc60 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!SeAccessCheckFromState+0x58 STACK_COMMAND: kb FOLLOWUP_IP: nt!KiDoubleFaultAbort+b2 fffff800`030cb032 90 nop SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: nt!KiDoubleFaultAbort+b2 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 4b88cfeb FAILURE_BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2 BUCKET_ID: X64_0x7f_8_nt!KiDoubleFaultAbort+b2 Followup: MachineOwner I tried running Rootkit Revealer but I don't think it works on x64 systems. Similarly Blacklight seems to have aged off. I'm running Sophos Anti-Rootkit now. So far so good...

    Read the article

  • Security measures for CentOS

    - by cappuccinodrinker
    I have been tightening up my web server security and wanted to know what else I can do. I am running CentOS 5 with these measures: - All passwords to FTP, MySQL etc are generated from grc.com/passwords.htm and microsoft.com/protect/fraud/passwords/create.aspx (for the ones which cannot be too long). - Running iptables with all ports shut off except for http mail and smtp, the important ports like FTP SSH are blocked to all except my static office IP. There is also no response to pings. - Rootkit Hunter running daily - The server is PCI compliant according to Comodo - Not running any crappy made php apps, we use Zend Framework for our stuff and do have kayako installed and keep them up to date. Can't really think of anything else I can do... I could implement a brute force measure, but I think I already have by simply changing my SSH port to a number above 10000 and blocking it off with iptables.

    Read the article

  • Picking up a lot of failed authentications for various accounts

    - by Josh K
    My server is getting a lot of various failed authentication attempts for various accounts. The most common one (that I've seen ) or the root account. I have since enabled Fail2Ban and ran several rootkit / malware checks to ensure I wasn't compromised. Is there anything else I should do? I only have three accounts enabled, and SSH access for only two. I have a full 48hr ban on anyone making more then six failed SSH login attempts. I do not have FTP enabled.

    Read the article

  • rkhunter warns of inode change by no file modification date changes

    - by Nicholas Tolley Cottrell
    I have several systems running Centos 6 with rkhunter installed. I have a daily cron running rkhunter and reporting back via email. I very often get reports like: ---------------------- Start Rootkit Hunter Scan ---------------------- Warning: The file properties have changed: File: /sbin/fsck Current inode: 6029384 Stored inode: 6029326 Warning: The file properties have changed: File: /sbin/ip Current inode: 6029506 Stored inode: 6029343 Warning: The file properties have changed: File: /sbin/nologin Current inode: 6029443 Stored inode: 6029531 Warning: The file properties have changed: File: /bin/dmesg Current inode: 13369362 Stored inode: 13369366 From what I understand, rkhunter will usually report a changed hash and/or modification date on the scanned files to, so this leads me to think that there is no real change. My question: is there some other activity on the machine that could make the inode change (running ext4) or is this really yum making regular (~ once a week) changes to these files as part of normal security updates?

    Read the article

  • Recommend AntiVirus for Plesk 8.6.0 + CentOS 5

    - by cappuccino
    I am using a virtual server on Media Temple running CentOS 5 and Pleak 8.6.0, I have done all their security recommendations and more some, blocking everything except http and mail, string passwords and running Rootkit Hunter daily. But i'm thinking I should run a antivirus of some sort? I'm still new to Linux CentOS security so please forgive :)... Can you recommend a good antivirus/antispyware software for CentOS 5 and Plesk 8.6.0? I've been searching for some plesk modules and have come across a few like Kaspersky, not sure which one to use... Any tips on security would be good too.

    Read the article

  • What postgresql client version should I build against, if server is 8.x?

    - by Ben Voigt
    I'm planning updates to a system that is currently running with 8.x server on Windows, 8.x client on Windows, and 8.x client on Linux. Obviously that seems like a bad choice of platform in a mixed environment, but the Linux machine has no persistent writable storage (as an anti-rootkit measure). I'm concerned with compatibility between versions right now. Can a linux postgresql 9.0.x client connect to a Windows 8.x server? The server is using some third-party binary extensions, so upgrading it is a more involved task and will be done later. If combining a 9.0.x client and 8.x server is discouraged, would latest 8.x clients be able to continue to connect if I did upgrade the server first? META: What tag is appropriate for backward-compatibility questions?

    Read the article

  • Why does my browser take me to Scour.com? (redirect virus)

    - by Paula DiTallo
    The "scour" or Rootkit.Win32.TDSS virus has a long history which can be found here: http://en.wikipedia.org/wiki/Scour Here is the primary symptom: after searching for something in your web browser using google, one of the results that you click on redirects you to scour.com. If you've executed ClamWin, Malwarebytes, McAfee, Norton, etc. to find and isolate the virus without any luck--this isn't really a surprise, since this virus attaches to existing system drivers. I only know of one reliable package that will remove this without ill effects--like adding new spyware. This package is called TDSSKiller. I have seen multiple websites that claim to have this software available, but the one that I know is reliable is located here: http://support.kaspersky.com/viruses/solutions?qid=208280684 Once you go to Kaspersky's tech support site, the TDSSKiller zip file is available for downloading. When you execute this software, you will be able to "cure" or repair the infected driver. Remember to jot down the name of the driver for future reference--should you need to reinstall the driver from a "same-as" working computer, or your install disk if the repair is ineffective. The driver that happened to get infected on my computer was the tcpip.sys driver. This caused my win sockets to loose their ip addresses. In most other instances, less critical drivers such as HDAudBus.sys are infected. In my case, I was not through correcting my computer problems until I corrected the broken WinSock issue and loaded an earlier version of the tcpip.sys driver from: C:\WINDOWS\ServicePackFiles\i386 which I placed in: C:\WINDOWS\system32\drivers Don't forget to reboot your computer after your repair! Once you download TDSSKiller and cure/repair your infected driver(s), the redirect on google searches should disappear .

    Read the article

  • Control Windows VM from Linux Host

    - by vy32
    I am looking for a tool that will allow me to monitor and control programs running inside a Windows VM from the Linux host machine. I realize that this is similar to what a rootkit would do, and I am completely happy to use some hacker software if it provides the necessary functionality (and if I can get it in source-code form). If I can't find something, I'll have to write it using C. Probably an embedded HTTP server running on an odd port and doing some kind of XMLRPC thing. Here is the basic functionality I need: Get list of running processes Kill a process. Start a process Read/write/create/delete files I would like to: - Read contents of screen - Read all controls on screen. - Send arbitrary click to a Windows control. Does anything like this exist?

    Read the article

< Previous Page | 1 2 3  | Next Page >