trojan problem

J.Markoll j.markoll at free.fr
Sun Jan 22 13:50:01 UTC 2006 

Brian Walker a écrit :
> Dear All,
> 
> It pains me to say so, but I have a trojan somewhere on my system, and it is
> a pain. I need help to rid myself of it.
> 
> Description:
> Home built Intel box, 120GB HD 2 GB RAM booting:
> 
> /dev/hda1 Windows XP
> /dev/hda2 Ubuntu Breezy
> /dev/hda4 another version of Breezy after a borked dist-upgrade - due to be
> removed and reformatted, but not got round to it yet.
> 
> Grub boot into /dev/hda2 Breezy, and using that partition for all
> work-related things. Recently tried to re-install Quasar ( a great CRM and
> POS software  BTW) but I tried to do it via cvs, and needed to enable ssh
> for that. This I did.
> 
> nmapfe as root showed
> 
> 1. I had unexplained open ports in the high regions
The list of the ports ?

> 2. trinoo_master was on port 27665
> 3. a number of slaves were operating (googled to get extensive info on
> trinoo_master ... this is typical behaviour of the trojan)
> 
> Result - my computer (oh the utter shame of it all) was being used to mount
> a DOS attack on some poor IP.
> 
> Action:
> 
> 1. booted to /dev/hda4 and found exactly the same result.
> 2. I have no idea how to coerce windows to tell me what is going on.
> 
> 3. I have backed up my /home/brian to an .iso on an external storage  drive
> (LaCie if you want to know)
If you store under a .tar.bz2 thanks to the 'tar' you will preserve the 
permissions as they are originally, otherwise, have fun! :(

> 4. Reformatted /dev/hda2 and reinstalled Ubuntu Breezy.
> 
> Planned action, and before I get back on the net, a few questions:
> 
> 1. Is nmapfe possibly picking up activity from my XP partition?? Yes, I
> know, impossible, but hope ever springs eternal
> 2. is the trojan possibly already present on /dev/hda4?
> 3. I had planned to set up Ubuntu on a fresh install on what was /dev/hda2,
> then transfer the /home/brian back to it, and then reformat /dev/hda4 ....
> can I expect the trojan to be reinstalled by re-installing my home
> partition?
> 4. The back up on the backup disk - is the trojan present there already?
> 
> So - the real issue is this: How do I remove the beast entirely, and get a
> clean install with intact data?
> 
> Furthermore: How can it possibly have been so quickly installed in the first
> place? Logs show intrusion attempts, but no successful intrusion attempts.
> The very presence of the trojan tells me this is by definition incorrect.
> 
> What do the gurus here recommend as a good plan of action?
> 
> All the best to all,
> 
> Brian
I'm none of a guru but the gurus use to say not to open Attached 
Documents that you don't know where it comes from, don't install third 
party software, have a strong password (more than 8 caracters with 
special caracters, high and low letters plus numbers, and don't write it 
to any place, keep it in mind).

If there is really a Trojan, you might get sure by doing complementary 
tests, with 'chkrootkit', with 'aide' and you might also like to do a 
more complete chech from the net:
http://www.virustotal.com/flash/index_en.html

but, be aware you can also get what's called 'false positive' results, 
that even experts don't know how to deal with.

The open ports I'm astonished, as an expert did scan my machine when I 
was under Hoary at the beginning, and no unuseful port was opened, which 
is fantastic for such a recent distribution.

Did you do a 'nmap' on localhost ? if yes, what result ?
Can you have someone to do it for you from the outside (a remote machine) ?
Incase of real doubt, I was told the best to clean a system is to 
reinstall it. That's the reason why we usually separate /home from the 
filesystem. (And a primary partition for each would be even stronger 
than the extended partition with logical volumes in it, but for other 
reasons).

You could install a firewall in anycase, if you need to feel more 
secure. Such as for example lokkit, very easy to configure, or Bastille, 
which is meant to securise and learn at same time.
Best greetings, Joyce Markoll.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060122/6f7b4a39/attachment.sig>

More information about the ubuntu-users mailing list