LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-12-2006, 04:51 PM   #1
GeorgeR
LQ Newbie
 
Registered: Jun 2006
Location: USA
Distribution: Debian
Posts: 4

Rep: Reputation: 0
Gatecrasher trojan....or is it?


Hiya. I just tossed out WinXP a couple of weeks ago, so this might be a dumb question.

I was running Azureus with a new firewall- I was using Guarddog, and switched to Firestarter this weekend. For the first time I noticed port 6969 was labeled Gatecrasher, and blocked. I did some Googling, and found that it is a trojan, but found very little on how to delete it in Linux.

I've also read that the port can be mislabeled (???).

Does anyone have any input on this? the Firestarter mailing list hasn't replied yet.

Thank you!
 
Old 06-12-2006, 05:27 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
For the first time I noticed port 6969 was labeled Gatecrasher, and blocked. / I've also read that the port can be mislabeled
When infected, Gatecrasher listens on port TCP 6969. Someone made a rule for it, disregarding the fact that anyone can legitemately use arbitrary and random ports over 1024, and *listening* on a port doesn't mean it is the trojan. Traffic can be dissected in many ways, say using an IDS like Snort, because it looks for patterns in the traffic (isn't infallible, but OK). Other ways to get proof positive would (in this case) be a banner scan or simple telnet to the port. In general you would "netstat -nlp" or better "lsof -i tcp:6969" in Linux, which would give you details of what process runs connected on port TCP 6969.

All of this isn't necessary right now as Gatecrasher is a trojan for the P.O.S. (the Pitiful Operating System aka MICROS~1). It doesn't run on GNU/Linux.
 
Old 06-13-2006, 06:04 AM   #3
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
You can also use
fuser 6969/tcp

to find which process is listenning on that port.
 
Old 06-13-2006, 08:47 AM   #4
GeorgeR
LQ Newbie
 
Registered: Jun 2006
Location: USA
Distribution: Debian
Posts: 4

Original Poster
Rep: Reputation: 0
Ahhh, thank you thank you. New tools for the Great Linux Toolbox!

I'm not all too bright yet about networking, which is obvious since it didn't occur to me to just knock on that port and say, "Hey, what's up in there???"

Side note- I've been lurking here for a couple of weeks while trying to get my new PC to function properly. Everyone here seems amazingly helpful, and I hope to actually get to offer something in the future. Thanks again!
 
Old 06-13-2006, 10:04 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
just knock on that port and say, "Hey, what's up in there???"
Well, for a trojan OK, but where this a cracker case you wouldn't want to do that. If they get alerted that way they might do stuff you would rather not have them do.


I hope to actually get to offer something in the future
I find the idea of you willing to share your hardearned cash with LQ as contributing member extremely sympathetic ;-p
 
Old 06-13-2006, 02:18 PM   #6
GeorgeR
LQ Newbie
 
Registered: Jun 2006
Location: USA
Distribution: Debian
Posts: 4

Original Poster
Rep: Reputation: 0
Talking

Quote:
Originally Posted by unSpawn
I find the idea of you willing to share your hardearned cash with LQ as contributing member extremely sympathetic ;-p
OK, done. Thanks for the tip!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LKM trojan? help! synaptical Linux - Security 3 03-07-2004 08:16 AM
lkm trojan nullpt Linux - Security 3 12-26-2003 07:42 PM
lkm trojan nullpt *BSD 3 12-25-2003 01:09 AM
Possible Trojan ! FreeFox Linux - General 4 08-03-2003 09:52 PM
Help..... !! a Trojan horse raz Linux - Security 1 04-27-2001 05:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration