trojan problem

Brian Walker bfwalker at gmail.com
Sun Jan 22 12:59:53 UTC 2006 

Dear All,

It pains me to say so, but I have a trojan somewhere on my system, and it is
a pain. I need help to rid myself of it.

Description:
Home built Intel box, 120GB HD 2 GB RAM booting:

/dev/hda1 Windows XP
/dev/hda2 Ubuntu Breezy
/dev/hda4 another version of Breezy after a borked dist-upgrade - due to be
removed and reformatted, but not got round to it yet.

Grub boot into /dev/hda2 Breezy, and using that partition for all
work-related things. Recently tried to re-install Quasar ( a great CRM and
POS software  BTW) but I tried to do it via cvs, and needed to enable ssh
for that. This I did.

nmapfe as root showed

1. I had unexplained open ports in the high regions
2. trinoo_master was on port 27665
3. a number of slaves were operating (googled to get extensive info on
trinoo_master ... this is typical behaviour of the trojan)

Result - my computer (oh the utter shame of it all) was being used to mount
a DOS attack on some poor IP.

Action:

1. booted to /dev/hda4 and found exactly the same result.
2. I have no idea how to coerce windows to tell me what is going on.

3. I have backed up my /home/brian to an .iso on an external storage  drive
(LaCie if you want to know)
4. Reformatted /dev/hda2 and reinstalled Ubuntu Breezy.

Planned action, and before I get back on the net, a few questions:

1. Is nmapfe possibly picking up activity from my XP partition?? Yes, I
know, impossible, but hope ever springs eternal
2. is the trojan possibly already present on /dev/hda4?
3. I had planned to set up Ubuntu on a fresh install on what was /dev/hda2,
then transfer the /home/brian back to it, and then reformat /dev/hda4 ....
can I expect the trojan to be reinstalled by re-installing my home
partition?
4. The back up on the backup disk - is the trojan present there already?

So - the real issue is this: How do I remove the beast entirely, and get a
clean install with intact data?

Furthermore: How can it possibly have been so quickly installed in the first
place? Logs show intrusion attempts, but no successful intrusion attempts.
The very presence of the trojan tells me this is by definition incorrect.

What do the gurus here recommend as a good plan of action?

All the best to all,

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060122/688a7314/attachment.html>

More information about the ubuntu-users mailing list