Don't trust process names on an infected host. ps axe
and folllow the location each app is running from. I once had a trojan masquerading as crond it ran as 5088 ? D 0:00 CROND CONSOLE=/dev/console HOSTNAME=host.tldTERM=linux PROFILE=prod INIT_VERSION= sysvinit-2.85 PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin notice the capital CROND. You better compare system tools binaries like ps, ls and such against an uninfected server. Most likely they have been altered by now. Don't trust them. Abdallah On 12/1/06, Issam <[EMAIL PROTECTED]> wrote: > > > Saleh: > No, Redhat9 has kernel 2.4.20-8 > Abdallah: > Thanks for your reply .. I checked the processes running, everything > seems ok now, the process which established the connection was httpd, I > already removed it since we don't need it. The connection to the remote > dest (on port 6667) is gone, and I already rebooted the server - lost > the 9 weeks uptime :-s -. But will keep an eye on it. > > Abdallah wrote: > > > Salam Issam > > > > Yes. anytime you see a process you did not create connecting to a > > remote host, specially IRC ports, then you can be certain it is a > > trojan of some sort. > > > > netstat -tapn or netstat -tap will show you a list of what is > > connecting where. Follow the suspicious processes with lsof -n -i to > > see where the culprit is hiding. > > > > Be careful how you remove it. A simple process kill or binary > > removal may result in a bad counter measures from the trojan. Like > > deleting your /var > > > > Be very careful. > > > > Once you identify your trojan binaries and how they are starting then > > you better shutdown. Reboot with a rescue disk .. Mount your hard disk > > . Remove binaries and startup scripts. > > > > restart normally. On a RH9 I would Update your ssh server and clients. > > Change all of your user passwords. Setup a firewall.. Close everything > > going out. > > > > Then and only then you get it online again. > > > > Or, you can format and reinstall a newer distro. :P > > > > Abdallah > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Jolug" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups-beta.google.com/group/Jolug?hl=en-GB -~----------~----~----~----~------~----~------~--~---
