trojan problem

Tristan Wibberley maihem at maihem.org
Sun Jan 22 16:21:38 UTC 2006 

DISCLAIMER: I am not a guru, my opinions do not represent those of my 
employer. Any advice or analysis I have given below is given in my 
capacity as a hobbyist and does not necessarily correspond to the advice 
or analysis I would have given if I had given my opinion in a 
professional capacity. In particular, it has not been reviewed for 
accuracy or completeness.  damage your computer. Beware of nasal demons.

Brian Walker wrote:
> Dear All,
> 
> It pains me to say so, but I have a trojan somewhere on my system, and it is
> a pain. I need help to rid myself of it.
> 
> Description:
> Home built Intel box, 120GB HD 2 GB RAM booting:
> 
> /dev/hda1 Windows XP
> /dev/hda2 Ubuntu Breezy
> /dev/hda4 another version of Breezy after a borked dist-upgrade - due to be
> removed and reformatted, but not got round to it yet.
> 
> Grub boot into /dev/hda2 Breezy, and using that partition for all
> work-related things. Recently tried to re-install Quasar ( a great CRM and
> POS software  BTW) but I tried to do it via cvs, and needed to enable ssh
> for that. This I did.
> 
> nmapfe as root showed
> 
> 1. I had unexplained open ports in the high regions
> 2. trinoo_master was on port 27665
> 3. a number of slaves were operating (googled to get extensive info on
> trinoo_master ... this is typical behaviour of the trojan)
> 
> Result - my computer (oh the utter shame of it all) was being used to mount
> a DOS attack on some poor IP.
> 
> Action:
> 
> 1. booted to /dev/hda4 and found exactly the same result.
> 2. I have no idea how to coerce windows to tell me what is going on.
> 
> 3. I have backed up my /home/brian to an .iso on an external storage  drive
> (LaCie if you want to know)
> 4. Reformatted /dev/hda2 and reinstalled Ubuntu Breezy.
> 
> Planned action, and before I get back on the net, a few questions:
> 
> 1. Is nmapfe possibly picking up activity from my XP partition?? Yes, I
> know, impossible, but hope ever springs eternal

Nope.

> 2. is the trojan possibly already present on /dev/hda4?

Quite possibly.

> 3. I had planned to set up Ubuntu on a fresh install on what was /dev/hda2,
> then transfer the /home/brian back to it, and then reformat /dev/hda4 ....
> can I expect the trojan to be reinstalled by re-installing my home
> partition?

It is possible, as it could be located there - especially if you share 
your home partition between your two Breezy boots - that would explain 
why it is present on both boots.

> 4. The back up on the backup disk - is the trojan present there already?

Possibly

Do *not* type your password in after logging in (ie, do not run sudo, do 
not run any of the system admin programs, no not return to your desktop 
from a locked screen saver, etc). This could allow the trojan to snoop 
your password, then it could run sudo -s to get a root shell just like 
you can.

I suggest booting to single user mode (recovery mode), or booting from 
the Ubuntu Live CD. From there, search for anything odd (whatever google 
says to look for WRT that trojan).

> So - the real issue is this: How do I remove the beast entirely, and get a
> clean install with intact data?
> 
> Furthermore: How can it possibly have been so quickly installed in the first
> place? Logs show intrusion attempts, but no successful intrusion attempts.
> The very presence of the trojan tells me this is by definition incorrect.

The malware might only be running as your regular user account - eg, a 
firefox bug, or xchat, or something like that. Or you might have 
actually downloaded and run a program or script from who-knows-where 
which wasn't what it claimed to be. In particular, a trojan does *not* 
force it's way in like a standard worm, it relys on *you* running it (or 
rather a program acting on your behalf). The trojan may then start a 
worm running, or be carrying viruses, or send trojan's out to your 
contacts (normally referred to as an email worm - though it's not really 
a worm).

This is a strange case, though, as I thought trinoo was a Windows 
trojan. It is possible it is running via wine, try uninstalling wine 
from your system (if you have it installed) that may help narrow down 
what you are looking for. If not, then trinoo may have been ported to Linux.

-- 
Tristan Wibberley

More information about the ubuntu-users mailing list