Je me suis fait pirater ma boite mail gmail ce week end. Je fait mes
investigations pour connaitre le pourquoi du comment. J'ai 3 machines linux
ubuntu et debian et une sous windows que j'utilise occasionnelement.
J'ai fait un petit chkrootkit, qui m'a donné, horreur, ça:
checking 'bindshell'... INFECTED (PORTS: 15 24 6667 31337
Ensuite, j'ai fait un 'sudo netstat -tupl' qui m'a donné ça, mais comment
éradiquer bindshell? :
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat
PID/Program name
tcp 0 0 *:imap2 *:* LISTEN
4450/portsentry
tcp 0 0 *:sunrpc *:* LISTEN
4450/portsentry
tcp 0 0 *:finger *:* LISTEN
4450/portsentry
tcp 0 0 *:netstat *:* LISTEN
4450/portsentry
tcp 0 0 *:54320 *:* LISTEN
4450/portsentry
tcp 0 0 *:cisco-sccp *:* LISTEN
4450/portsentry
tcp 0 0 *:27665 *:* LISTEN
4450/portsentry
tcp 0 0 localhost.localdom:7634 *:* LISTEN
2877/hddtemp
tcp 0 0 *:ingreslock *:* LISTEN
4450/portsentry
tcp 0 0 192.168.122.1:domain *:* LISTEN
1600/dnsmasq
tcp 0 0 *:munin *:* LISTEN
1162/munin-node
tcp 0 0 *:ssh *:* LISTEN
1091/sshd
tcp 0 0 *:nntp *:* LISTEN
4450/portsentry
tcp 0 0 localhost.localdoma:ipp *:* LISTEN
3165/cupsd
tcp 0 0 *:socks *:* LISTEN
4450/portsentry
tcp 0 0 *:12345 *:* LISTEN
4450/portsentry
tcp 0 0 localhost.localdom:smtp *:* LISTEN
3037/master
tcp 0 0 *:12346 *:* LISTEN
4450/portsentry
tcp 0 0 *:635 *:* LISTEN
4450/portsentry
tcp 0 0 *:49724 *:* LISTEN
4450/portsentry
tcp 0 0 *:uucp *:* LISTEN
4450/portsentry
tcp 0 0 *:tcpmux *:* LISTEN
4450/portsentry
tcp 0 0 *:20034 *:* LISTEN
4450/portsentry
tcp 0 0 localhost.localdo:13666 *:* LISTEN
3196/LCDd
tcp 0 0 *:32771 *:* LISTEN
4450/portsentry
tcp 0 0 *:32772 *:* LISTEN
4450/portsentry
tcp 0 0 localhost.localdom:dict *:* LISTEN
2543/0
tcp 0 0 *:40421 *:* LISTEN
4450/portsentry
tcp 0 0 *:32773 *:* LISTEN
4450/portsentry
tcp 0 0 *:32774 *:* LISTEN
4450/portsentry
tcp 0 0 *:31337 *:* LISTEN
4450/portsentry
tcp 0 0 *:systat *:* LISTEN
4450/portsentry
tcp 0 0 *:ircd *:* LISTEN
2951/minbif
tcp 0 0 *:5742 *:* LISTEN
4450/portsentry
tcp6 0 0 [::]:ssh [::]:* LISTEN
1091/sshd
tcp6 0 0 localhost:ipp [::]:* LISTEN
3165/cupsd
udp 0 0 *:54321 *:*
4454/portsentry
udp 0 0 192.168.122.1:domain *:*
1600/dnsmasq
udp 0 0 *:700 *:*
4454/portsentry
udp 0 0 *:bootps *:*
1600/dnsmasq
udp 0 0 192.168.122.1:59588 *:*
6294/opera
udp 0 0 *:bootpc *:*
6200/dhclient
udp 0 0 *:37444 *:*
4454/portsentry
udp 0 0 *:tftp *:*
4454/portsentry
udp 0 0 *:31335 *:*
4454/portsentry
udp 0 0 *:31337 *:*
4454/portsentry
udp 0 0 239.255.255.250:1900 *:*
6294/opera
udp 0 0 239.255.255.250:1900 *:*
6294/opera
udp 0 0 kashyyyk:54131 *:*
6294/opera
udp 0 0 *:34555 *:*
4454/portsentry
udp 0 0 *:635 *:*
4454/portsentry
udp 0 0 *:640 *:*
4454/portsentry
udp 0 0 *:641 *:*
4454/portsentry
udp 0 0 *:who *:*
4454/portsentry
udp 0 0 *:1 *:*
4454/portsentry
udp 0 0 *:32770 *:*
4454/portsentry
udp 0 0 *:32771 *:*
4454/portsentry
udp 0 0 *:32772 *:*
4454/portsentry
udp 0 0 *:32773 *:*
4454/portsentry
udp 0 0 *:32774 *:*
4454/portsentry
udp 0 0 *:echo *:*
4454/portsentry
udp 0 0 *:discard *:*
4454/portsentry
udp 0 0 *:snmp *:*
4454/portsentry
udp 0 0 *:snmp-trap *:*
4454/portsentry