Well, it can also be running like a hidden process providing a backdoor.. It can do a lot of things.. There is no "right" answer, there are just a series of tests which eliminate some possibilities and/or tracks the "culprit" process..
|
Slackware already includes tcpdump, so if you can't find the culprit in netstat/lsof output you should at least be able to record and inspect the packets being sent out (unless of course there is a well-hidden rootkit that modifies tcpdump output). Running the following as root would record all packets for 2 minutes:
Code:
# tcpdump -i eth0 -G 120 -W 1 -w /root/tcpdump-$(date +"%F_%H:%M:%S").log Code:
$ /usr/sbin/tcpdump -n -r /path/to/file.log | less Code:
$ /usr/sbin/tcpdump -n -XX -r /path/to/file.log | less |
Sorry for not replying sooner, I was a bit discouraged and just disconnected the thing from the network.
Code:
netstat -cutpan Code:
Active Internet connections (servers and established) I don't even know if its worth dealing with :| ...I'm going to be installing the new version of Mint at the end of May on my other machines, might as well just wipe the Slackbox and make sure I have proper configuration for my ssh security. |
Quote:
Quote:
Code:
find /boot /etc /usr /var -type f \( -iname iptable\* -o -iname .\*iptable\* -o -iname S55ip\* \) Quote:
|
The above find commands turned up 2 binaries in /boot/ and 2 basic shell scripts in /init.d/ to start them
Is there messaging/mail within LinuxQuestions? I can't seem to find a way to direct message you. |
There is a private message system, but it seems to be limited (I'm not quite sure when it's activated)
http://www.linuxquestions.org/questi.../unspawn-2450/ Go to "Contact info", you'll find a link to mail him (unfortunatly, without attachments, so try putting the files in an archive on Dropbox or Google Docs and share them by link).. Btw, I would also appreciate a copy of them.. if you can .. :) |
|
Quote:
You can also, in the "My LQ" menu on the right, click on the link tagged "LQ UserCP" (that stands for "LQ user Control Panel"). |
Well it seems like I'm logged in, I don't know what the problem is.
Would it be okay to just post a drop-box link in this thread? |
You have to enable private messaging - on the left side of the page, in the MY LQ box, select "edit options" and it's in there under messaging and notifications. You already have email turned on, as does unSpawn.
Also, more easily in this case, if you simply click on unSpawn's (or anyone else's) username, you should get a fly-out with an email to <username> link, plus an IM link if it's enabled. cheers, |
Actually, I remember not having PMs and some stuff not so long ago.. I think it's a post-count anti-spam limit..
@Tachtory, sure.. just present a big warning of what it contains.. :P |
IptabLes.tar.gz 0.98MB
Contains: Code:
boot-.IptabLes -- binary exe found in /boot/ |
Hello all
If the box compromized than it should not be used to verify anything. Reason? It's compromized! At the first moment it's not possible to verify what has been afected (nmap, netstat, tcpdump, iptables?). In this case I would get a second machine and make Man In The Middle with that box and capture all traffic to see what's going on. For me the best option is to build the system from scratch and install precautions (fail2ban; tripwire; others?) Anyway good luck. Regards, hyakutake |
Quote:
whoever made this didn't even strip the binaries :) a 2MB virus :) thx for sharing, this made my day |
It's definitely a trojan:
http://www.ebel-computing.de/JSPWiki...erver%20Trojan |
All times are GMT -5. The time now is 07:43 PM. |