Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

king-phispher/server_config.yml has been changed (debsums -sa)


  • Please log in to reply
1 reply to this topic

#1 spenca57

spenca57

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 13 March 2018 - 01:39 PM

So, after chkrootkit found a lot of suspicious files (I previously asked a question about this and whether this was a false positive) I decided to ignore the issue for a while as I was spending too much time trying to figure it out. The output was something like this:
The following suspicious files and directories were found:
/usr/lib/ruby/vendor_ruby/bundler/templates/newgem/.travis.yml.tt /usr/lib/ruby/vendor_ruby/libv8/.location.yml /usr/lib/python3/dist-packages/tabulate-0.7.7.egg-info/.PKG-INFO.swp /usr/lib/python3/dist-packages/.hypothesis /usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-mediawiki-e7970d1c6b56/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-mediawiki-e7970d1c6b56/.rspec /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-projects-2a56756753c4/.ruby-version /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-projects-2a56756753c4/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-projects-2a56756753c4/.gitignore /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-brakeman-4d66e9cefa2f/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-brakeman-4d66e9cefa2f/.gitignore /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-brakeman-4d66e9cefa2f/.rspec /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-calculator_cvss-5d5c765f53dc/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-calculator_cvss-5d5c765f53dc/.gitignore /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-calculator_dread-41f9bbfee6b1/.git
There were more but I didn't include them all as there were a lot.

Today, I installed debsums to verify the integrity of the packages on my Kali system and discovered king-phispher/server_config.yml has been changed. I can only imagine why this would be as I have not so much as typed in the command king-phisher, and I am not at all interested in phishing. My best guess is that the suspicious dradis files aren't a false positive, I have been pwned and now my Kali system is being used remotely as a phishing server. Is this plausible? What else could explain this result? I have included a screenshot of the result. I appreciate any response as I am rather anxious right now and considering throwing away a few months of sobriety for the fear that I'm now going to be held responsible for what some nefarious POS hacker has done with my system.

BC AdBot (Login to Remove)

 


#2 spenca57

spenca57
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 13 March 2018 - 03:54 PM

Forgot to attach the screenshot, here it is.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users