On Sunday 05 May 2002 5:47 am, db wrote: > I recently installed Mandrake 8.1. (for the 3rd time! :) ) My > machine is on a university network. I frequently get a popup KWrited > document on my desktop that is labeled "listening on device > /dev/pts/0" and the makes a long list of audio and font files > locating them on several of my partitions. The partitions are: > > the /dev/ ... (of my secondary drive that contains an alternate boot > of Redhat 5.1) > the /usr/share/ ... > the /var/lib ... > the /var/tmp ... > > I assume people used my machine's drives as a way station for napster > like file transfer... > > I just poked around in the Control Panel and set my security to > medium ... that seems to have stopped it. At least I am not getting > any more KWrited listening docs popping up ... (I didn't do this > before because during install I requested high security but it > appears "Crackers" level somehow got installed anyway.) > > Am I right about what was going on and why? What, if anything, more > should I do additionally? I saved a copy of the KWrited listing of > files ... should I delete the files? > > Is there any chance there some kind of worm or trojan horse on my > machine now?
It's unlikely if the machine was being used as an ftp site, but see disclaimer at the end :) What you could do as a first shot is log in as root and: find / -name *.mp3 -print (and possibly find / -name *.ogg -print) and, if you find any MP3 or OGG files you don't recognise, move them elsewhere (don't delete them until you're sure there's no problem - it's unlikely that applications will use MP3 or OGG files to play their sounds, but you never know). Then: - download and install all 8.1 security updates (however that's done there; 8.2 uses an application called MandrakeUpdate to automate this); - run Bastille Linux, which may already be installed, if not run, and, if not, can be got from http://www.bastille-linux.org/ It 'hardens' an existing Linux installation to make it more resistant from attack by performing various operations (firewalling and so on). To run it type InteractiveBastille when logged in as root - note case). More sophisticated techniques will have to wait until someone more knowledgeable than me answers. Alastair -- Alastair Scott (London, United Kingdom) http://www.unmetered.org.uk/
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com