Hello together,

unfortunately my system (hd-installed Knoppix release 3.2) has been hacked probably 2 days ago.
I did a port scan and found out that it is infected by the trojan Deepthroat 2.0&3.0 which
now is listening on port 60000.

How can i get rid of the trojan without installing from scratch?

Thanks for your proposals in advance

"Deep throat", "Foreplay" and "Trojan Sockets" or whatever is sposed to be listening on TCP/6000 are trojans for the MICROS~1 game platform, so that can't be it. Unfortunately a portscan doesn't say a thing.

If you don't know what's listening on the port and you want to find out more, as root 1) run "netstat -anp" and 2) validate listening apps (md5sum, pkg manager, integrity checkers like Aide, Samhain or tripwire) and 3) download chkrootkit(.org) and scan.
"Usually" it'll be just the firewall port hasn't been blocked, or a default policy of "ACCEPT" is used, block the port, reload the fw and rescan.

hello unSpawn,

taking your advices into account i re-examine the system with netstat and could identify the process updatefs, which was listening on the port 60000.
After killing the process it also disappears from the netstat summary for listening ports.
I have no idea what this application is usually good for.
Anyway, i also tried 'chkrootkit' but it found almost nothing suspicious beside ifconfig, which supposed to be infected. Also the system appears to have a so called LKM trojan installed, but chkrootkit doesn't give detailed information.

I'm afraid there's no other possibility to set up the system again.

By the way, i led my computer checked by nessus. It turned out that the intruder may have entered through a vulnerable version of the samba server, which was running accidently and so was able to gain a root shell.
The intrusion was easily recognised, because two new users where added to passwd !!

Good for you you discovered this all.

Before you reformat (please *do* reformat) and re-install, can you save some info, like "find / | xargs md5sum 2>/dev/null > /tmp/allfilesums.log" (or if you have an idea when it happened a "find / -mtime x| xargs md5sum 2>/dev/null > /tmp/mtime_x_filesums.log", where x is days before discovery +1 or check wtmp for when the accounts where added and addy 2 days), all system logs and the passwd/shadow/wtmp files?
If you use "find" and you see files you can't find the purpose for, make a list of them and tar 'em up.
This way you got minimal info saved of the compromise.

If you want me to look a bit more into this compromise, I invite you to take it up with me by email.

hello unSpawn,

i read your post too late, now i already re-install my linux (newer version with all services off).
But your right i would have been better to investigate some more to collect as much info as possible for the people reading this forum probably facing the same problem from now on. Now it's too late. All evidences are gone.

But i'm warned. (Now i'm not a virgin anymore ;-) )

The leak is described under DSA-280-1 samba on the debian pages.