LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-10-2002, 10:44 PM   #1
doris
Member
 
Registered: May 2001
Location: New York, USA
Distribution: RH 7.3, 8.0
Posts: 64

Rep: Reputation: 15
a trojan inside my box?


just after installing Redhat 7.3 (Cheapbytes pink tie version) and put it online, i found my new box keeping ftping out!!!

the destination was 203.117.102.247, which telneted my box minutes later and got refused by the tcp wrapper.

is there a trojan in my newly installed system? if yes, how can I find it out. currently, I could use ethereal to monitor packets, but I don't know which program requested ftp. i also checked my box with chkrootkit but found nothing abnormal.

doris
 
Old 06-10-2002, 10:53 PM   #2
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
I dont' know. but i am curious. If you are willing, i would let the connection through tcp wrappers, but run tcpdump and see what goes across the network.
 
Old 06-12-2002, 01:22 AM   #3
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
you need to get checkrootkit (chrootkit) program and run it to see what root kit you got. Backup all your data, do some reading about security, get everything ready, and then reinstall system (but when you have new system, make sure you make a good firewall, shut down all not needed services, and don't use any comunication with clear text passwords, eliminate shells from users, except for ones that need to login through ssh, drop telnet)
 
Old 06-12-2002, 04:31 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,277
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
If the box is regarded as suspect running chkrootkit *without verified clean* binaries won't get you anywhere . The same goes for verifying installed rpm's against the rpm database.
Best thing would be to check running the biatchux cd (somewhere at sourceforge) it's got chkrootkit on it as well as a myriad of other tools.

Except for time consuming manual examination of the filesystem for dot-files, dot-dirs, running strings on binaries trying to find signs of compromise and trying to undelete/recover bits 'n pieces about the only thing you can do is go tru logfiles, (w|u)tmp entries, passwd/group and config files trying to find anomalies. However, if they used a zapper even that might not turn up anything.

If unsure, better save your *human readable data* (no binaries), and like Noerr said reinstall and secure the system.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SMC says Linux on box but not inside or via TECH SUPPORT suguru Linux - Networking 4 11-30-2005 06:36 PM
iptables inside client to inside host with outside DNS or IP - Help! linuxhelp2 Linux - Networking 1 10-15-2005 06:19 AM
Trojan Horse on my Linux Box? Tons of Fun Linux - Security 3 09-24-2005 01:58 PM
for loop inside select box opioid Programming 1 03-17-2005 02:22 PM
a low noise box with amd inside? annehoog Linux - Hardware 8 06-29-2002 08:53 PM


All times are GMT -5. The time now is 12:49 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration