trojan - removal problems

Wed Jan 25 11:47:49 UTC 2006

Greetings all,

having reinstalled ubuntu after being infected with trinoo_master on port
27665, I discovered that there is still a problem.

1. netstat -tlp revealed open ports listening at the 3xxxx port range. I
killed the PID associated.
2. then nmap showed no problems, but
3. rkhunter suggested some hidden files in /dev needed to be looked at.
4. /dev/.static is a problem.

I removed two other suspicious directories, including a file in /etc ....
/etc/.pwd.lock ... but I cannot remove .static. It contains a directory:
/dev/.static/dev which is empty, but rm -R .static/ fails:

# rm -R .static
rm: cannot remove directory `.static/dev': Device or resource busy

# ls -l .static/
total 28
drwxrwxrwx  2 brian brian 28672 2006-01-25 16:59 dev

(I chown, chgrp and chmod to see if I could remove the beastie ..)

lsattr shows nothing
mount shows no association to other processes.

I strongly suspect this is the source of a problem. How can I delete that
directory, and clean the space it occupies? All suggestions gratefully
received.

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060125/5aed5f03/attachment.html>