also remember to `last`, check /etc/passwd for any account you dont know, check history files for ALL accounts (.bash_history), if you see anything suspecious I would advise a reinstallation, once you have been rooted you can't know for certain what they did to the system.
On 12/2/06, Abdallah <[EMAIL PROTECTED]> wrote: > Don't trust process names on an infected host. > > ps axe > > and folllow the location each app is running from. > > I once had a trojan masquerading as crond > > it ran as > > 5088 ? D 0:00 CROND CONSOLE=/dev/console HOSTNAME= host.tld > TERM=linux PROFILE=prod INIT_VERSION=sysvinit-2.85 > PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin > > notice the capital CROND. > > You better compare system tools binaries like ps, ls and such against an > uninfected server. Most likely they have been altered by now. > > Don't trust them. > > Abdallah > > > On 12/1/06, Issam <[EMAIL PROTECTED]> wrote: > > > > Saleh: > > No, Redhat9 has kernel 2.4.20-8 > > Abdallah: > > Thanks for your reply .. I checked the processes running, everything > > seems ok now, the process which established the connection was httpd, I > > already removed it since we don't need it. The connection to the remote > > dest (on port 6667) is gone, and I already rebooted the server - lost > > the 9 weeks uptime :-s -. But will keep an eye on it. > > > > Abdallah wrote: > > > > > Salam Issam > > > > > > Yes. anytime you see a process you did not create connecting to a > > > remote host, specially IRC ports, then you can be certain it is a > > > trojan of some sort. > > > > > > netstat -tapn or netstat -tap will show you a list of what is > > > connecting where. Follow the suspicious processes with lsof -n -i to > > > see where the culprit is hiding. > > > > > > Be careful how you remove it. A simple process kill or binary > > > removal may result in a bad counter measures from the trojan. Like > > > deleting your /var > > > > > > Be very careful. > > > > > > Once you identify your trojan binaries and how they are starting then > > > you better shutdown. Reboot with a rescue disk .. Mount your hard disk > > > . Remove binaries and startup scripts. > > > > > > restart normally. On a RH9 I would Update your ssh server and clients. > > > Change all of your user passwords. Setup a firewall.. Close everything > > > going out. > > > > > > Then and only then you get it online again. > > > > > > Or, you can format and reinstall a newer distro. :P > > > > > > Abdallah > > > > > > > > > > > > > > > > > -- --------------------------- Netiquette -> http://www.dtcc.edu/cs/rfc1855.html Netiquette Nazi -> http://redwing.hutman.net/%7Emreed/warriorshtm/netiquettenazi.htm --------------------------- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Jolug" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups-beta.google.com/group/Jolug?hl=en-GB -~----------~----~----~----~------~----~------~--~---
