Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
unfortunately my system (hd-installed Knoppix release 3.2) has been hacked probably 2 days ago.
I did a port scan and found out that it is infected by the trojan Deepthroat 2.0&3.0 which
now is listening on port 60000.
How can i get rid of the trojan without installing from scratch?
"Deep throat", "Foreplay" and "Trojan Sockets" or whatever is sposed to be listening on TCP/6000 are trojans for the MICROS~1 game platform, so that can't be it. Unfortunately a portscan doesn't say a thing.
If you don't know what's listening on the port and you want to find out more, as root 1) run "netstat -anp" and 2) validate listening apps (md5sum, pkg manager, integrity checkers like Aide, Samhain or tripwire) and 3) download chkrootkit(.org) and scan.
"Usually" it'll be just the firewall port hasn't been blocked, or a default policy of "ACCEPT" is used, block the port, reload the fw and rescan.
taking your advices into account i re-examine the system with netstat and could identify the process updatefs, which was listening on the port 60000.
After killing the process it also disappears from the netstat summary for listening ports.
I have no idea what this application is usually good for.
Anyway, i also tried 'chkrootkit' but it found almost nothing suspicious beside ifconfig, which supposed to be infected. Also the system appears to have a so called LKM trojan installed, but chkrootkit doesn't give detailed information.
I'm afraid there's no other possibility to set up the system again.
By the way, i led my computer checked by nessus. It turned out that the intruder may have entered through a vulnerable version of the samba server, which was running accidently and so was able to gain a root shell.
The intrusion was easily recognised, because two new users where added to passwd !!
Before you reformat (please *do* reformat) and re-install, can you save some info, like "find / | xargs md5sum 2>/dev/null > /tmp/allfilesums.log" (or if you have an idea when it happened a "find / -mtime x| xargs md5sum 2>/dev/null > /tmp/mtime_x_filesums.log", where x is days before discovery +1 or check wtmp for when the accounts where added and addy 2 days), all system logs and the passwd/shadow/wtmp files?
If you use "find" and you see files you can't find the purpose for, make a list of them and tar 'em up.
This way you got minimal info saved of the compromise.
If you want me to look a bit more into this compromise, I invite you to take it up with me by email.
i read your post too late, now i already re-install my linux (newer version with all services off).
But your right i would have been better to investigate some more to collect as much info as possible for the people reading this forum probably facing the same problem from now on. Now it's too late. All evidences are gone.
But i'm warned. (Now i'm not a virgin anymore ;-) )
The leak is described under DSA-280-1 samba on the debian pages.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.