Just shut the machine down as soon as possible. Even get the local janitor to do it if you can't get to the site. Rebooting it won't help. All processes and software are potentially compromised, including the behaviour of the TCP stack, file mod dates, really everything. The sensible way about it is to "have an outage" on that machine, and switch over to your alternate server which is patched and up-to-date (ahh hopefully you have one...).
Regards, Jill. -----Original Message----- From: Voytek [mailto:[EMAIL PROTECTED] Sent: Wednesday, 6 April 2005 8:16 AM To: slug@slug.org.au Subject: [SLUG] dealing with compromised machine ? I have a compromised RH73 machine, until such time as I can pull it down, what can I do to identify and shut down any rogue processes/backdoors ? BDC scan identified: ---- BDC/Linux-Console v7.0 (build 2492) (i386) (Dec 11 2003 13:24:00) Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved. /var/tmp/mremap_pte infected: Linux.OSF.8759 ...(several more) /var/tmp/tlsd.pl infected: Backdoor.Perl.Termapp.A ... * packed with (Upx) * packed with (ExePack 3.69) * packed with (ExePack 3.69) ---- additionally, there was baddies in and below /tmp I've removed all the baddies, but, I expect there will be some open ports ? is there a way to shut them in the interim period till I can get to the machine ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html ---------------------------------------------------------------------- IMPORTANT NOTICES This email (including any documents referred to in, or attached, to this email) may contain information that is personal, confidential or the subject of copyright or other proprietary rights in favour of Aristocrat, its affiliates or third parties. This email is intended only for the named addressee. Any privacy, confidence, copyright or other proprietary rights in favour of Aristocrat, its affiliates or third parties, is not lost because this email was sent to you by mistake. If you received this email by mistake you should: (i) not copy, disclose, distribute or otherwise use it, or its contents, without the consent of Aristocrat or the owner of the relevant rights; (ii) let us know of the mistake by reply email or by telephone (+61 2 9413 6300); and (iii) delete it from your system and destroy all copies. Any personal information contained in this email must be handled in accordance with applicable privacy laws. Electronic and internet communications can be interfered with or affected by viruses and other defects. As a result, such communications may not be successfully received or, if received, may cause interference with the integrity of receiving, processing or related systems (including hardware, software and data or information on, or using, that hardware or software). Aristocrat gives no assurances in relation to these matters. If you have any doubts about the veracity or integrity of any electronic communication we appear to have sent you, please call +61 2 9413 6300 for clarification. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html