Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-10-2002, 10:44 PM   #1
Registered: May 2001
Location: New York, USA
Distribution: RH 7.3, 8.0
Posts: 64

Rep: Reputation: 15
a trojan inside my box?

just after installing Redhat 7.3 (Cheapbytes pink tie version) and put it online, i found my new box keeping ftping out!!!

the destination was, which telneted my box minutes later and got refused by the tcp wrapper.

is there a trojan in my newly installed system? if yes, how can I find it out. currently, I could use ethereal to monitor packets, but I don't know which program requested ftp. i also checked my box with chkrootkit but found nothing abnormal.

Old 06-10-2002, 10:53 PM   #2
Registered: May 2001
Posts: 125

Rep: Reputation: 15
I dont' know. but i am curious. If you are willing, i would let the connection through tcp wrappers, but run tcpdump and see what goes across the network.
Old 06-12-2002, 01:22 AM   #3
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
you need to get checkrootkit (chrootkit) program and run it to see what root kit you got. Backup all your data, do some reading about security, get everything ready, and then reinstall system (but when you have new system, make sure you make a good firewall, shut down all not needed services, and don't use any comunication with clear text passwords, eliminate shells from users, except for ones that need to login through ssh, drop telnet)
Old 06-12-2002, 04:31 AM   #4
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
If the box is regarded as suspect running chkrootkit *without verified clean* binaries won't get you anywhere . The same goes for verifying installed rpm's against the rpm database.
Best thing would be to check running the biatchux cd (somewhere at sourceforge) it's got chkrootkit on it as well as a myriad of other tools.

Except for time consuming manual examination of the filesystem for dot-files, dot-dirs, running strings on binaries trying to find signs of compromise and trying to undelete/recover bits 'n pieces about the only thing you can do is go tru logfiles, (w|u)tmp entries, passwd/group and config files trying to find anomalies. However, if they used a zapper even that might not turn up anything.

If unsure, better save your *human readable data* (no binaries), and like Noerr said reinstall and secure the system.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SMC says Linux on box but not inside or via TECH SUPPORT suguru Linux - Networking 4 11-30-2005 06:36 PM
iptables inside client to inside host with outside DNS or IP - Help! linuxhelp2 Linux - Networking 1 10-15-2005 06:19 AM
Trojan Horse on my Linux Box? Tons of Fun Linux - Security 3 09-24-2005 01:58 PM
for loop inside select box opioid Programming 1 03-17-2005 02:22 PM
a low noise box with amd inside? annehoog Linux - Hardware 8 06-29-2002 08:53 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:08 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration