Is my paranoia unfounded or not

I recently visited my parents. They have a Windows computer. (Windows
ME). I used it to log on to my home Linux computer using putty and
also to a couple sites (eBay and some unimportant informational
sites).

Later we downloaded some antivirus software and found some viruses.

I am now worried that perhaps my keyboard was spied on and that my
passwords became known to bad people. Though I changed my passwords in
a few days, I am worried that perhaps the "hackers" already broke into
my home computer and installed rootkits (so "last" no longer reports
correct info, etc).

Is my paranoia unfounded (eg the probability of this happening is very
low), or not? Is there any rootkit detection software for Linux?

i

On 2007-06-06, Ignoramus27187 wrote:

> Is my paranoia unfounded (eg the probability of this happening is very
> low), or not? Is there any rootkit detection software for Linux?

no, yes

No, a little paranoia is healthy for your computer. Yes, there are
rootkit detection programs for linux. You can find them with google.

nb

Ignoramus27187 writes:

> I recently visited my parents. They have a Windows computer. (Windows
> ME). I used it to log on to my home Linux computer using putty and
> also to a couple sites (eBay and some unimportant informational
> sites).
>
> Later we downloaded some antivirus software and found some viruses.
>
> I am now worried that perhaps my keyboard was spied on and that my
> passwords became known to bad people. Though I changed my passwords in
> a few days, I am worried that perhaps the "hackers" already broke into
> my home computer and installed rootkits (so "last" no longer reports
> correct info, etc).
>
> Is my paranoia unfounded (eg the probability of this happening is very
> low), or not? Is there any rootkit detection software for Linux?

chkrootkit

On 2007-06-06, Ignoramus27187 wrote:
> I recently visited my parents. They have a Windows computer. (Windows
> ME). I used it to log on to my home Linux computer using putty and
> also to a couple sites (eBay and some unimportant informational
> sites).
>
> Later we downloaded some antivirus software and found some viruses.
>
> I am now worried that perhaps my keyboard was spied on and that my
> passwords became known to bad people. Though I changed my passwords in
> a few days, I am worried that perhaps the "hackers" already broke into
> my home computer and installed rootkits (so "last" no longer reports
> correct info, etc).
>
> Is my paranoia unfounded (eg the probability of this happening is very
> low), or not? Is there any rootkit detection software for Linux?

I can't answer as to the likelihood that your Linux machine
may have been cracked. Changing your passwords was probably
a very good idea or at least a good start.

There are rootkit detectors for Linux, but once a system has
been cracked, not even the kernel is really trustworthy. In
theory, if the rootkit was perfect, you would actually now
be running inside a virtual environment managed by the
rootkit--something like the electronic equivalent of "The
Truman Show". One rootkit detector is chkrootkit. It does
produce some false positives and some folks don't consider
it very good. Tripwire is another intrusion detector that
has a lot of advantages, but it requires taking an initial
snapshot of a known clean state, _before_ any possible
crack. (I use both chkrootkit and tripwire.)

Another thing you might consider doing for a bit of good
measure is keeping a record of package verification results.
For example, on an RPM-based distribution, run "rpm -qa" and
put results into a file. Then, do "rpm -Va" or "rpm -V
$pkg" for each installed package, with those results put in
a file. Keep the files around. Compare the most recent
files against the previous files. Do this immediately
before _and_ immediately after any package installation or
update or significant system administration operation. Make
sure nothing changed that isn't accounted for.

HTH

--
Robert Riches
spamtrap42-at-verizon.net
(Yes, that is one of my email addresses.)

On Wed, 06 Jun 2007 13:08:33 -0500, notbob wrote:
> On 2007-06-06, Ignoramus27187 wrote:
>
>> Is my paranoia unfounded (eg the probability of this happening is very
>> low), or not? Is there any rootkit detection software for Linux?
>
> no, yes
>
> No, a little paranoia is healthy for your computer. Yes, there are
> rootkit detection programs for linux. You can find them with google.
>

Thanks. I downloaded it and am running it right now, nothing found so
far, but it is in progress.

i

Robert, thanks. I ran chkrootkit and it did not find anything. I think
that I will stop at this point. Just a personal judgment.

i

On 2007-06-06, Ignoramus27187 wrote:

> Thanks. I downloaded it and am running it right now, nothing found so
> far, but it is in progress.

Now, for the paranoia part. If you weren't paranoid enough, before,
read this:

http://www.cio.com/article/114550

IOW, chkrootkit may be useless. Your only way to really be sure is to
do a fresh reinstall and keep security patches current while
constantly monitoring your system. And get that packet filter
firewall (iptables) up and running. There's no such thing as being
too paranoid. BTW, you did good. I won't use a windoze box for any
online functions that require any level of security. Good luck.

nb

In comp.os.linux.misc on Wed, 06 Jun 2007 12:56:53 -0500,
Ignoramus27187 wrote:

> I recently visited my parents. They have a Windows computer. (Windows
> ME).

Ouch.

> I used it to log on to my home Linux computer using putty and
> also to a couple sites (eBay and some unimportant informational
> sites).

You're right to assume that those passwords may have been compromised.

> Later we downloaded some antivirus software and found some viruses.
>
> I am now worried that perhaps my keyboard was spied on and that my
> passwords became known to bad people. Though I changed my passwords in
> a few days, I am worried that perhaps the "hackers" already broke into
> my home computer and installed rootkits (so "last" no longer reports
> correct info, etc).

Do you have sudo permissions when connecting remotely? Did you use su
and type the root password?

If not, you're probably OK.

Otherwise, I suggest a clean installation. Save your existing files
and examine them carefully before putting them back.

> Is my paranoia unfounded (eg the probability of this happening is very
> low), or not?

In general, paranoid people don't get hacked much.

> Is there any rootkit detection software for Linux?

Yes, see other replies.


--
PJR :-)

On 2007-06-06, Peter J Ross wrote:
> In comp.os.linux.misc on Wed, 06 Jun 2007 12:56:53 -0500,
> Ignoramus27187 wrote:
>
>> I recently visited my parents. They have a Windows computer. (Windows
>> ME).
>
> Ouch.

Boy, howdy! I was in the same situation. A thousand miles from home
and the only connection with the outside world an XP box on dial-up.
Yikes! After 2 days of attempted delousing and intense security
sweeps, I finally packed it in and resolved myself to not accessing
any critical online accounts. Online banking and ebay and whatnot is
a great thing, but not on a computer you are not absolutely 100% sure
of.

nb

"I" == Ignoramus27187 :
I> I am now worried that perhaps my keyboard was spied on and that my
I> passwords became known to bad people. Though I changed my passwords in
I> a few days, I am worried that perhaps the "hackers" already broke into
I> my home computer and installed rootkits (so "last" no longer reports
I> correct info, etc).

Compare the MD5 sums and permissions of all your binaries, /etc
contents, kernel images and modules with the ones from your latest
backup.