# [solved] cleaning the system from malware

## bendeguz

Hi!

I'm wondering if I suspect some malicious code in my system, what would be a proper way to rebuild it like if it was a clean install? I'm thinking of "emerge -e world", reinstalling configuration files, cleaning tmp folders and stuff like that.

Thanks for reading...Last edited by bendeguz on Mon May 24, 2010 12:55 pm; edited 1 time in total

----------

## phajdan.jr

You may want to use tools like rkhunter and chkrootkit.

However, you can never be sure, and you can never trust the suspected system. In case you decide to reinstall, absolutely nothing should survive (oh, except data). The disk should be reformatted etc. If you just re-compile stuff, you risk leaving some backdoors behind. Also, you can't trust the subverted system, so you don't really know whether it overwrites the infected files.

Let me repeat once more: a hacked system must be reinstalled from scratch.

----------

## bendeguz

 *phajdan.jr wrote:*   

> You may want to use tools like rkhunter and chkrootkit.
> 
> However, you can never be sure, and you can never trust the suspected system. In case you decide to reinstall, absolutely nothing should survive (oh, except data). The disk should be reformatted etc. If you just re-compile stuff, you risk leaving some backdoors behind. Also, you can't trust the subverted system, so you don't really know whether it overwrites the infected files.
> 
> Let me repeat once more: a hacked system must be reinstalled from scratch.

 

Thank you for your answer!

Would you be so kind, to have a look at this? (Maybe you already did before)

https://forums.gentoo.org/viewtopic-t-818338-highlight-tcp+timestamp.html

This is the reason of my question. I still don't know the explanation of this.

To make it short: After ~9,5 hours uptime(tried it several times) I can't reach a lot of web pages and mirrors. I tried with a clean installed gentoo which i was installed chrooted from my desktop system, but it had the same problem.

I realized, if I put my machine on a router which I built, based on floppyfw, the problem is gone. If I put back to the TP-LINK router, I can't reach almost anything again.

----------

## phajdan.jr

 *bendeguz wrote:*   

> This is the reason of my question. I still don't know the explanation of this.
> 
> To make it short: After ~9,5 hours uptime(tried it several times) I can't reach a lot of web pages and mirrors. I tried with a clean installed gentoo which i was installed chrooted from my desktop system, but it had the same problem.
> 
> I realized, if I put my machine on a router which I built, based on floppyfw, the problem is gone. If I put back to the TP-LINK router, I can't reach almost anything again.

 

Doesn't look like a hack. Additionally, be aware that most of the time an attacker wants to hide his presence, and not make a lot of noise that would make people suspicious like in this case.

----------

## bendeguz

 *phajdan.jr wrote:*   

> 
> 
> Additionally, be aware that most of the time an attacker wants to hide his presence, and not make a lot of noise that would make people suspicious like in this case.

 

Good point, thank you.

----------

