trojan - removal problems
bfwalker at gmail.com
Wed Jan 25 11:47:49 UTC 2006
having reinstalled ubuntu after being infected with trinoo_master on port
27665, I discovered that there is still a problem.
1. netstat -tlp revealed open ports listening at the 3xxxx port range. I
killed the PID associated.
2. then nmap showed no problems, but
3. rkhunter suggested some hidden files in /dev needed to be looked at.
4. /dev/.static is a problem.
I removed two other suspicious directories, including a file in /etc ....
/etc/.pwd.lock ... but I cannot remove .static. It contains a directory:
/dev/.static/dev which is empty, but rm -R .static/ fails:
# rm -R .static
rm: cannot remove directory `.static/dev': Device or resource busy
# ls -l .static/
drwxrwxrwx 2 brian brian 28672 2006-01-25 16:59 dev
(I chown, chgrp and chmod to see if I could remove the beastie ..)
lsattr shows nothing
mount shows no association to other processes.
I strongly suspect this is the source of a problem. How can I delete that
directory, and clean the space it occupies? All suggestions gratefully
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-users