Posted 13 March 2018 - 01:39 PM
So, after chkrootkit found a lot of suspicious files (I previously asked a question about this and whether this was a false positive) I decided to ignore the issue for a while as I was spending too much time trying to figure it out. The output was something like this:
The following suspicious files and directories were found:
/usr/lib/ruby/vendor_ruby/bundler/templates/newgem/.travis.yml.tt /usr/lib/ruby/vendor_ruby/libv8/.location.yml /usr/lib/python3/dist-packages/tabulate-0.7.7.egg-info/.PKG-INFO.swp /usr/lib/python3/dist-packages/.hypothesis /usr/lib/python3/dist-packages/matplotlib/tests/baseline_images/.keep /usr/lib/python3/dist-packages/PyQt4/uic/widget-plugins/.noinit /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-mediawiki-e7970d1c6b56/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-mediawiki-e7970d1c6b56/.rspec /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-projects-2a56756753c4/.ruby-version /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-projects-2a56756753c4/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-projects-2a56756753c4/.gitignore /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-brakeman-4d66e9cefa2f/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-brakeman-4d66e9cefa2f/.gitignore /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-brakeman-4d66e9cefa2f/.rspec /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-calculator_cvss-5d5c765f53dc/.git /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-calculator_cvss-5d5c765f53dc/.gitignore /usr/lib/dradis/ruby/2.3.0/bundler/gems/dradis-calculator_dread-41f9bbfee6b1/.git
There were more but I didn't include them all as there were a lot.
Today, I installed debsums to verify the integrity of the packages on my Kali system and discovered king-phispher/server_config.yml has been changed. I can only imagine why this would be as I have not so much as typed in the command king-phisher, and I am not at all interested in phishing. My best guess is that the suspicious dradis files aren't a false positive, I have been pwned and now my Kali system is being used remotely as a phishing server. Is this plausible? What else could explain this result? I have included a screenshot of the result. I appreciate any response as I am rather anxious right now and considering throwing away a few months of sobriety for the fear that I'm now going to be held responsible for what some nefarious POS hacker has done with my system.