Topic: Linux.RST.B FOUND

[henrikmc]

Is Vbox installed with default 6.0.1? Virusscan says:
//var/spool/vbox/zbind: Linux.RST.B FOUND

??

[gardnc]

In my copy of 6.0.1 there is a directory called /var/spool/vbox but there are no files in it.

[byte]

Nothing in mine either, I would take offline and run the normal check's of a possible break in/infection!

[CharlieBrady]

Nothing in mine either, I would take offline and run the normal check's of a possible break in/infection!

I'd second that opinion. It's almost certain that that file was put there by a remote attacker, who had malicious intentions.

CERT's instructions for recovering from a break-in are here:

http://www.cert.org/nav/recovering.html

You should plan to do a fresh install of a new system, restore your user data, lock all accounts and remove any ssh access keys, and then set new passwords for all active accounts.

[henrikmc]

Nothing in mine either, I would take offline and run the normal check's of a possible break in/infection!

I'd second that opinion. It's almost certain that that file was put there by a remote attacker, who had malicious intentions.

CERT's instructions for recovering from a break-in are here:

http://www.cert.org/nav/recovering.html

You should plan to do a fresh install of a new system, restore your user data, lock all accounts and remove any ssh access keys, and then set new passwords for all active accounts.

Im not sure about the files being put there by a remote attacker, but rather by a rpm installed.

ssh is enabled but would require the privat key for the root account, which is not likely to be compromized.

If the virus in the zbind exe would have been executed, many more files would have been infected. This tells me the file has not been executed, but it dosent ensure that my system hasen't been compromised...

No unrecocnized deamons are running, no pid's either.

Rkhunter says the system is ok, except for vulnabilities in some of the sme components.

Thanks for the link, great guide there!

Get