trojan problem
Tony Arnold
tony.arnold at manchester.ac.uk
Sun Jan 22 13:57:50 UTC 2006
Brian,
Brian Walker wrote:
> /dev/hda1 Windows XP
> /dev/hda2 Ubuntu Breezy
> /dev/hda4 another version of Breezy after a borked dist-upgrade - due to
> be removed and reformatted, but not got round to it yet.
>
> Grub boot into /dev/hda2 Breezy, and using that partition for all
> work-related things. Recently tried to re-install Quasar ( a great CRM
> and POS software BTW) but I tried to do it via cvs, and needed to
> enable ssh for that. This I did.
>
> nmapfe as root showed
>
> 1. I had unexplained open ports in the high regions
> 2. trinoo_master was on port 27665
> 3. a number of slaves were operating (googled to get extensive info on
> trinoo_master ... this is typical behaviour of the trojan)
>
> Result - my computer (oh the utter shame of it all) was being used to
> mount a DOS attack on some poor IP.
>
> Action:
>
> 1. booted to /dev/hda4 and found exactly the same result.
Are the two version of Ubuntu using the same /home partition? It's
likely the trojan is in a hidden directory (e.g., one called just . in
your home directory), hence it's seen in both versions.
I would google for a a root kit finder tool such as rkhunter and run
that on your system. I'd also look carefully for any hidden directories.
I suspect, that someone has got in on your account via ssh. They have
either harvested the username and password from your windows system (are
they the same?) or they have done a brute force on your account and
effectively guessed your password.
If the former, then your windows system is also compromised. The only
guaranteed way to clean it up is to re-install from scratch.
> 2. I have no idea how to coerce windows to tell me what is going on.
>
> 3. I have backed up my /home/brian to an .iso on an external storage
> drive (LaCie if you want to know)
> 4. Reformatted /dev/hda2 and reinstalled Ubuntu Breezy.
>
> Planned action, and before I get back on the net, a few questions:
>
> 1. Is nmapfe possibly picking up activity from my XP partition?? Yes, I
> know, impossible, but hope ever springs eternal
No.
> 2. is the trojan possibly already present on /dev/hda4?
More likely in your /home partition.
> 3. I had planned to set up Ubuntu on a fresh install on what was
> /dev/hda2, then transfer the /home/brian back to it, and then reformat
> /dev/hda4 .... can I expect the trojan to be reinstalled by
> re-installing my home partition?
If the trojan is in a hidden directory on your /home partition, then you
will just bring it back from the back. Look for hidden dirs and run
rkhunter.
> 4. The back up on the backup disk - is the trojan present there already?
Possibly, see above.
HTH
Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
More information about the ubuntu-users
mailing list