Question: Has My Box Been compromised?
Posted by ajt on Wed 20 Jul 2005 at 15:47
Today my Debian/Sarge box at home took a very sustained SSH attack. After the attack, I got an email saying that "rootkit004w" and "LKM" have been detected. I'm quite aware that the various automated security tools do generate false positives, however it's quite a coincidence. I had restarted some services that generate false positives inadvertently during the attack, so it really could just be coincidence
The box is set to allow only certificate based SSH logins only, so I'm quite confident that they could not have got in via a simple dictionary attack, but now I'm not convinced that the box is as safe as it should be.
I've taken the safe step of shutting the box down, as I don't trust it at the moment.
I'm quite prepared to rebuild the box from scratch, everything of importance is backed up, but I'd rather not if it's actually safe.
What's the best live-CD to check out a Debian system out with?