On Fri, 2003-06-13 at 16:18, Peter Gloor wrote:
Unfortunately I left SuSE Linux 8.0 Professional Server open tonight. SuSE Firewall 2 was temporarely deactivated.
At 2 PM somebody from outside managed to implantinate a virus (dir /mihai and files like /.mihai, /mihai.tgz, /mihai/inst etc.). At the same time /etc/rc.d/rc.sysinit was been over- written (with a call to wrapper) and the files /usr/bin/wrapper as well as /usr/sbin/wrapper have been overwritten with the code of /mihai.
Neither rc.sysinit nor /usr/(s)bin/wrapper exist in SuSE, I think that virus expected either a red hat or mandrake machine.
It doesn't matter to me if I have to reinstall all software as
I think that's advisable. If your machine has been cracked, you shouldn't trust any executables on it.
long as I don't need to distroy my partitions and, more
How do you mean destroy? You don't have to repartition your machine, but IMHO it's advisable to reformat your system partitions. I hope your data is on their own partitions.
important, the file system on hda3, since I have a backup of all important config files and all datafiles on hda3.
I tried to reinstall from CD, but this doesn't work too (options freely translated from German):
- New Install Will create new partitions and overwirte my HD!?!
that is the default, but in the "expert" section of the partitioning tool you can select exactly what you want to do, including (if you really want to) to not even reformat.
Does anybody know this virus?
Never heard of it, and a google search doesn't turn up anything immediately obvious. Maybe you should send a post to suse-security and/or bugtraq?