View the Most Wanted LQ Wiki articles.
Go Back > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Slackware This Forum is for the discussion of Slackware Linux.


  Search this Thread
Old 04-25-2014, 11:35 AM   #31
Registered: Nov 2013
Posts: 674

Rep: Reputation: Disabled

looking at the code it has a full, threaded server
the code is huge (has zlib and glibc included) and the coding style is all over the place (Get_File_Size, updatesrv, MySend etc; granted some could be from zlib)
there are syn and dns flood functions, a GetRandFileName function and a million more

my novice guess is it's a cross platform botnet
bdw ht, F6->elf/image if you want to check it out

funny that it makes slackware rc files (BSD style init)

edit:to add
as written in the link metaschima posted, to quote "(But I get infected after a while again, which I have not solved yet) "

if that happens, you can use audit (from SBo) to find out what brought the files back
to do this goes something like this:
auditctl -w /path/to/dir
#to add the directory to watch

then when the files are created
ausearch -f /foo/bar/file_created
#to find out what process created it

this uses the kernel audit framework
if it isn't in the log then the file was created before the daemon started

to remove a watch use auditctl -W /path/to/dir
more on

Last edited by genss; 04-25-2014 at 02:51 PM.
Old 04-30-2014, 05:46 PM   #32
Registered: May 2001
Posts: 28,826
Blog Entries: 55

Rep: Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342Reputation: 3342
Originally Posted by Tachtory View Post
The above find commands turned up 2 binaries in /boot/ and 2 basic shell scripts in /init.d/ to start them
1 members found this post helpful.
Old 05-01-2014, 03:57 PM   #33
Senior Member
Registered: Jan 2011
Posts: 4,636
Blog Entries: 7

Rep: Reputation: 1104Reputation: 1104Reputation: 1104Reputation: 1104Reputation: 1104Reputation: 1104Reputation: 1104Reputation: 1104Reputation: 1104
Originally Posted by Tachtory View Post
Well it seems like I'm logged in, I don't know what the problem is.

Would it be okay to just post a drop-box link in this thread?
I believe you need to have > 50 posts to send PMs.
Contact Info visibility? I don't know about that one.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
/tmp/ repeatedly infected: how to trace (and disable?) server IRC connections? juodojiakis Linux - Security 13 02-04-2012 11:57 AM
Max num of concurrent tcp connections && tcp auto tune rosv Linux - Networking 3 02-04-2011 02:57 AM
USB security - transferring files from infected windows machine to Linux box leighz Linux - Security 5 03-05-2009 09:11 AM
LXer: My Linux Box is INFECTED! LXer Syndicated Linux News 3 06-07-2008 09:00 PM
how many TCP connections at a time? hegdeshashi Linux - Networking 5 01-05-2006 11:19 PM

All times are GMT -5. The time now is 11:05 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration