Hacked?

[trvl]

Hej

Jeg instaleret Ubunto på min com for et par uger siden, og alt kører fint.. Jeg dog blevet en lille smule bekymret da mit mouse-pad for et par dage siden spontant blev midlertidigt deaktiveret af sig selv! Jeg gik over til min tastatur-mus istedet, men pilen begyndte så at gå i modsat retning af hvad jeg bad den om.. Derefter virkede mit mouse-pad igen. Det bekymrer mig, især fordi jeg havde et stort problem med en nasty trojansk hest på det win-xp der var på computeren før Ubuntu..

Som gammel Windows bruger var det første jeg gjorde naturligvis at ty til anti-virus (som videre læsning så har lært mig nok var meningsløst)--- Jeg brugte Clamtk 3.11, som så fandt 3 vira, som jeg slettede manualt gennem terminal som root (sudo bash)---Jeg var ikke istand til at slette den sidste da jeg ikke havde adgand, på trods af at jeg var root og brugte chmod og chom på filen, som heder slab_size (/sys/kernel/slab/:0000704/slab_size)---(Igen har videre læsning indikeret at den fil skal være der?)

Jeg forsatte så med at downloade chkrootkit og kører det i terminal, alt så fint ud bortset fra at jeg fik beskeden: Checking `z2'... user deleted or never logged from lastlog!

Hele scanningen så sådan her ud:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not found
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/firefox-3.0.5/.autoreg /usr/lib/xulrunner-1.9.0.5/.autoreg /lib/modules/2.6.27-11-generic/volatile/.mounted /lib/init/rw/.ramfs

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... chkproc: nothing detected
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhclient3[6694])
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... user deleted or never logged from lastlog!

Jeg har prøvet at google den sidste besked, men syntes ikke rigtigt jeg kan få noget endegyldigt svar på om det er noget der skal bekymre mig, eller om det betyder ingenting...

I det hele taget overvejer jeg nu om det bedste bare er at slette alt og geninstalere Ubuntu,på trods af at alt generelt fungere perfekt...

Nogle tanker/råd???

[lath]

Jeg tror ikke at der er nogen virus på din computer:

Oversættelse af:

eth0: PACKET SNIFFER(/sbin/dhclient3[6694])

• eth0 er dit første trådede netværksinterface, det vil sige der hvor du har dit netværkskabel tilsluttet
• /sbin/dhclient3 er et program fra dhcp-client3 pakken, som gør det muligt for din computer en komplet internetopsætning fra din internetudbyder. Fjerner du den kan ikke komme på internettet før efter en reinstallation.
• 6694 er den port som programmet snakker med en DHCP server om (re)leases.

Synaptic om dhcp-client3 pakken:

DHCP client
This is the client from version 3 of the Internet Software
Consortium's implementation of DHCP. For more information visit
http://www.isc.org.

Dynamic Host Configuration Protocol (DHCP) is a protocol like BOOTP
(actually dhcpd includes much of the functionality of bootpd). It
gives client machines "leases" for IP addresses and can
automatically set their network configuration. If your machine
depends on DHCP (especially likely if it's a workstation on a large
network, or a laptop, or attached to a cable modem), keep this or
another DHCP client installed.

Med andre ord er programmets advarsel en såkaldt falsk positiv (falsk alarm) om malware.

/Lars

[trvl]

Tak for dit svar, så jeg mere rolig. Mit mouse-pad problem lader også til at være selvforskyldt, så bare en omgang paranoia..