Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
just after installing Redhat 7.3 (Cheapbytes pink tie version) and put it online, i found my new box keeping ftping out!!!
the destination was 184.108.40.206, which telneted my box minutes later and got refused by the tcp wrapper.
is there a trojan in my newly installed system? if yes, how can I find it out. currently, I could use ethereal to monitor packets, but I don't know which program requested ftp. i also checked my box with chkrootkit but found nothing abnormal.
you need to get checkrootkit (chrootkit) program and run it to see what root kit you got. Backup all your data, do some reading about security, get everything ready, and then reinstall system (but when you have new system, make sure you make a good firewall, shut down all not needed services, and don't use any comunication with clear text passwords, eliminate shells from users, except for ones that need to login through ssh, drop telnet)
If the box is regarded as suspect running chkrootkit *without verified clean* binaries won't get you anywhere . The same goes for verifying installed rpm's against the rpm database.
Best thing would be to check running the biatchux cd (somewhere at sourceforge) it's got chkrootkit on it as well as a myriad of other tools.
Except for time consuming manual examination of the filesystem for dot-files, dot-dirs, running strings on binaries trying to find signs of compromise and trying to undelete/recover bits 'n pieces about the only thing you can do is go tru logfiles, (w|u)tmp entries, passwd/group and config files trying to find anomalies. However, if they used a zapper even that might not turn up anything.
If unsure, better save your *human readable data* (no binaries), and like Noerr said reinstall and secure the system.