Salam Issam Yes. anytime you see a process you did not create connecting to a remote host, specially IRC ports, then you can be certain it is a trojan of some sort.
netstat -tapn or netstat -tap will show you a list of what is connecting where. Follow the suspicious processes with lsof -n -i to see where the culprit is hiding. Be careful how you remove it. A simple process kill or binary removal may result in a bad counter measures from the trojan. Like deleting your /var Be very careful. Once you identify your trojan binaries and how they are starting then you better shutdown. Reboot with a rescue disk .. Mount your hard disk . Remove binaries and startup scripts. restart normally. On a RH9 I would Update your ssh server and clients. Change all of your user passwords. Setup a firewall.. Close everything going out. Then and only then you get it online again. Or, you can format and reinstall a newer distro. :P Abdallah On 12/1/06, Issam <[EMAIL PROTECTED]> wrote: > > > Hi > Sorry for not coming today (jolug meeting), I'll do my best to attend > next time. Hmmm, I found an open port on one of the servers at work > (Redhat9) to a remote port : 6667, which is used as I know for IRC, I > found it weirdo because the server shouldn't connect to it :s > I googled around and found the below links: > http://www.bindview.com/Services/RAZOR/Advisories/2001/adv_LkIPmasq.cfm > http://www.sarc.com/avcenter/venc/data/linux.backdoor.kaiten.html > > I closed the port through iptables, but still would like to know whether > it is a backdoor thingy or anything else. > Any idea? > > Regards, > Issam Hambouz > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Jolug" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups-beta.google.com/group/Jolug?hl=en-GB -~----------~----~----~----~------~----~------~--~---
