A debian system I had running was very badly hacked. This was debian speakup 2.6.18 kernel. I decided to write a cs script to run clamscan and found a really easy way to write that script and was planning on sharing that technique until I had a listen of part of the log file I had the script make for me. Then it was time to preserve what I could and erase partitions and install a new system. I'm most interested in what door or window I had left open for this hack to have happened. Activity on the system was downloading podcasts which were preserved and also doing some ssh connections but sshd_config and ssh_config had been modified to not listen on any port; permit root login was disabled, and X11-forwarding was also turned off. What follows is the part of the log I preserved: ------------------------------------------------------------------------------- Unpacker process 11675 stopped due to exceeded limits //usr/share/doc/lg/108/misc/laundrette/laundrette-108.txt: HTML.Phishing.Bank-1 FOUND //usr/share/doc/lg/112/lg_laundrette.html: HTML.Phishing.Bank-164 FOUND //usr/share/doc/lg/issue85/misc/mahoney/c.img.gz: GZip.ExceededFileSize FOUND //usr/share/doc/lg/issue86/TWDT.txt.gz: Exploit.IFrame.Gen FOUND Beyond that, here's a copy of cs script used with clamscan: #!/bin/bash # file: cs - clamscan script clamscan -l clamscan`date -I`.log -r --bell --exclude=/dev --exclude=/proc --exclude=/pts --exclude=/tmp -i --detect-broken --block-encrypted --block-max --max-files=500 --max-space=10M --max-recursion=8 --max-ratio=250 --max-mail-recursion=8 --max-dir-recursion=15 --deb=/usr/bin/dpkg-deb / * How I found that script so easy to write was I put each command line option on its own line after clamscan and when the several lines had all of those options I used the join command in ex to join those lines into the clamscan command you find in that script.
