On Wed, 7 Feb 2001, Carl Brock Sides wrote: > My immediate guess, upon seeing anything running on 31337, is that > you've been "0wn3d", as the script kiddies put it, and maybe lsof has > been trojaned not to list the attacker's processes. > > You are running lsof as root, right? It won't show you everything as an > ordinary user. > > You don't say what version of Debian you're running. If you're running > potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: > > be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof > > If that's not it, it's a trojan. I'd guess that other useful tools for > finding out what's going on, e.g. ls and ps and fuser, have been > trojaned as well. (Although you might want to try "fuser 31337/tcp", > maybe the attacker forgot about it.) > > Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're > interested in further investigation.
This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _________________________________________________________________ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _________________________________________________________________ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _________________________________________________________________ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _________________________________________________________________