LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 07-05-2003, 02:43 PM   #1
frasier642
LQ Newbie
 
Registered: Jul 2003
Location: aix-la-chapelle
Distribution: KnoppixV3.2/Debian
Posts: 6

Rep: Reputation: 0
get rid of trojans after being hacked?


Hello together,

unfortunately my system (hd-installed Knoppix release 3.2) has been hacked probably 2 days ago.
I did a port scan and found out that it is infected by the trojan Deepthroat 2.0&3.0 which
now is listening on port 60000.

How can i get rid of the trojan without installing from scratch?

Thanks for your proposals in advance
 
Old 07-05-2003, 03:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
"Deep throat", "Foreplay" and "Trojan Sockets" or whatever is sposed to be listening on TCP/6000 are trojans for the MICROS~1 game platform, so that can't be it. Unfortunately a portscan doesn't say a thing.

If you don't know what's listening on the port and you want to find out more, as root 1) run "netstat -anp" and 2) validate listening apps (md5sum, pkg manager, integrity checkers like Aide, Samhain or tripwire) and 3) download chkrootkit(.org) and scan.
"Usually" it'll be just the firewall port hasn't been blocked, or a default policy of "ACCEPT" is used, block the port, reload the fw and rescan.
 
Old 07-05-2003, 08:34 PM   #3
frasier642
LQ Newbie
 
Registered: Jul 2003
Location: aix-la-chapelle
Distribution: KnoppixV3.2/Debian
Posts: 6

Original Poster
Rep: Reputation: 0
hello unSpawn,

taking your advices into account i re-examine the system with netstat and could identify the process updatefs, which was listening on the port 60000.
After killing the process it also disappears from the netstat summary for listening ports.
I have no idea what this application is usually good for.
Anyway, i also tried 'chkrootkit' but it found almost nothing suspicious beside ifconfig, which supposed to be infected. Also the system appears to have a so called LKM trojan installed, but chkrootkit doesn't give detailed information.

I'm afraid there's no other possibility to set up the system again.

By the way, i led my computer checked by nessus. It turned out that the intruder may have entered through a vulnerable version of the samba server, which was running accidently and so was able to gain a root shell.
The intrusion was easily recognised, because two new users where added to passwd !!
 
Old 07-06-2003, 02:31 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
Good for you you discovered this all.

Before you reformat (please *do* reformat) and re-install, can you save some info, like "find / | xargs md5sum 2>/dev/null > /tmp/allfilesums.log" (or if you have an idea when it happened a "find / -mtime x| xargs md5sum 2>/dev/null > /tmp/mtime_x_filesums.log", where x is days before discovery +1 or check wtmp for when the accounts where added and addy 2 days), all system logs and the passwd/shadow/wtmp files?
If you use "find" and you see files you can't find the purpose for, make a list of them and tar 'em up.
This way you got minimal info saved of the compromise.

If you want me to look a bit more into this compromise, I invite you to take it up with me by email.
 
Old 07-06-2003, 03:12 PM   #5
frasier642
LQ Newbie
 
Registered: Jul 2003
Location: aix-la-chapelle
Distribution: KnoppixV3.2/Debian
Posts: 6

Original Poster
Rep: Reputation: 0
hello unSpawn,

i read your post too late, now i already re-install my linux (newer version with all services off).
But your right i would have been better to investigate some more to collect as much info as possible for the people reading this forum probably facing the same problem from now on. Now it's too late. All evidences are gone.

But i'm warned. (Now i'm not a virgin anymore ;-) )

The leak is described under DSA-280-1 samba on the debian pages.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux to kill windoze viruses, worms, trojans, spywares, etc. carboncopy Linux - Software 4 03-04-2005 09:09 AM
Trojans or backdoors? linuxgamer Linux - Newbie 7 01-04-2004 09:42 PM
Spyware/Trojans/Adware PionexUser Linux - Newbie 9 07-21-2003 04:57 AM
Current List of Port Trojans robeb Linux - Security 1 02-14-2003 06:27 AM
Open source, trojans, other thoughts Pres Linux - Security 4 11-03-2002 01:03 PM


All times are GMT -5. The time now is 01:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration