trojan - removal problems
Tony Arnold
tony.arnold at manchester.ac.uk
Wed Jan 25 12:00:02 UTC 2006
Brian,
Brian Walker wrote:
> Greetings all,
>
> having reinstalled ubuntu after being infected with trinoo_master on
> port 27665, I discovered that there is still a problem.
>
> 1. netstat -tlp revealed open ports listening at the 3xxxx port range. I
> killed the PID associated.
> 2. then nmap showed no problems, but
> 3. rkhunter suggested some hidden files in /dev needed to be looked at.
> 4. /dev/.static is a problem.
>
> I removed two other suspicious directories, including a file in /etc
> .... /etc/.pwd.lock ... but I cannot remove .static. It contains a
> directory: /dev/.static/dev which is empty, but rm -R .static/ fails:
>
> # rm -R .static
> rm: cannot remove directory `.static/dev': Device or resource busy
>
> # ls -l .static/
> total 28
> drwxrwxrwx 2 brian brian 28672 2006-01-25 16:59 dev
>
> (I chown, chgrp and chmod to see if I could remove the beastie ..)
>
> lsattr shows nothing
> mount shows no association to other processes.
>
> I strongly suspect this is the source of a problem. How can I delete
> that directory, and clean the space it occupies? All suggestions
> gratefully received.
Have you tried booting into single user mode and then trying to delete
this file?
Regasrds,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
Manchester Computing, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
More information about the ubuntu-users
mailing list