I wrote to this guy and asked him what he meant. There ARE a lot of pictures of me and my sister on that website. Vacation pics and things.
I ran chkrootkit and the only (possibly) negative results I got were:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient) Checking `chkutmp'... The tty of the following user process(es) were not found in /var/run/utmp ! Searching for suspicious files and dirs, it may take a while... /usr/lib/j2se/1.4/jre/.systemPrefs /usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile /usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock /usr/lib/j2se/1.4/jre/.systemPrefs
I guess that since I even suspect that it's comproimised, I should reinstall.
Matt
On Sun, 13 Nov 2005, Matt Graham wrote:
Hi. I got this email (below) from someone saying that my server is attacking theirs. They used my IP in the subject line as well.
Is this what happens when a system is rooted? If I suspect that this has happened, is my best option to reinstall?
Hello, I am not sure if you are aware that your server is conducting a vulnerability search and is continually hitting my server. I am guessing that you are unaware of it since the attacking IP is riddled with personal pictures of your self and your sister. Could you please look into this ASAP. Grant.
Hunhh? I've never seen a "vulnerability search" that is "riddled with personal pictures" of "your sister".
This looks like crap, did the email contain an attachment with a windows executable format by chance?
And as to the question of what happens when a system is rooted, if it's rooted right you'll never even know.
Regards,
-Don