Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-12-2006, 04:51 PM
|
#1
|
LQ Newbie
Registered: Jun 2006
Location: USA
Distribution: Debian
Posts: 4
Rep:
|
Gatecrasher trojan....or is it?
Hiya. I just tossed out WinXP a couple of weeks ago, so this might be a dumb question.
I was running Azureus with a new firewall- I was using Guarddog, and switched to Firestarter this weekend. For the first time I noticed port 6969 was labeled Gatecrasher, and blocked. I did some Googling, and found that it is a trojan, but found very little on how to delete it in Linux.
I've also read that the port can be mislabeled (???).
Does anyone have any input on this? the Firestarter mailing list hasn't replied yet.
Thank you!
|
|
|
06-12-2006, 05:27 PM
|
#2
|
Moderator
Registered: May 2001
Posts: 29,415
|
For the first time I noticed port 6969 was labeled Gatecrasher, and blocked. / I've also read that the port can be mislabeled
When infected, Gatecrasher listens on port TCP 6969. Someone made a rule for it, disregarding the fact that anyone can legitemately use arbitrary and random ports over 1024, and *listening* on a port doesn't mean it is the trojan. Traffic can be dissected in many ways, say using an IDS like Snort, because it looks for patterns in the traffic (isn't infallible, but OK). Other ways to get proof positive would (in this case) be a banner scan or simple telnet to the port. In general you would "netstat -nlp" or better "lsof -i tcp:6969" in Linux, which would give you details of what process runs connected on port TCP 6969.
All of this isn't necessary right now as Gatecrasher is a trojan for the P.O.S. (the Pitiful Operating System aka MICROS~1). It doesn't run on GNU/Linux.
|
|
|
06-13-2006, 06:04 AM
|
#3
|
Member
Registered: Mar 2004
Posts: 135
Rep:
|
You can also use
fuser 6969/tcp
to find which process is listenning on that port.
|
|
|
06-13-2006, 08:47 AM
|
#4
|
LQ Newbie
Registered: Jun 2006
Location: USA
Distribution: Debian
Posts: 4
Original Poster
Rep:
|
Ahhh, thank you thank you. New tools for the Great Linux Toolbox!
I'm not all too bright yet about networking, which is obvious since it didn't occur to me to just knock on that port and say, "Hey, what's up in there???"
Side note- I've been lurking here for a couple of weeks while trying to get my new PC to function properly. Everyone here seems amazingly helpful, and I hope to actually get to offer something in the future. Thanks again!
|
|
|
06-13-2006, 10:04 AM
|
#5
|
Moderator
Registered: May 2001
Posts: 29,415
|
just knock on that port and say, "Hey, what's up in there???"
Well, for a trojan OK, but where this a cracker case you wouldn't want to do that. If they get alerted that way they might do stuff you would rather not have them do.
I hope to actually get to offer something in the future
I find the idea of you willing to share your hardearned cash with LQ as contributing member extremely sympathetic ;-p
|
|
|
06-13-2006, 02:18 PM
|
#6
|
LQ Newbie
Registered: Jun 2006
Location: USA
Distribution: Debian
Posts: 4
Original Poster
Rep:
|
Quote:
Originally Posted by unSpawn
I find the idea of you willing to share your hardearned cash with LQ as contributing member extremely sympathetic ;-p
|
OK, done. Thanks for the tip!
|
|
|
All times are GMT -5. The time now is 09:28 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|