trojan - removal problems
Colin Watson
cjwatson at ubuntu.com
Wed Jan 25 12:07:32 UTC 2006
On Wed, Jan 25, 2006 at 07:47:49PM +0800, Brian Walker wrote:
> 1. netstat -tlp revealed open ports listening at the 3xxxx port range. I
> killed the PID associated.
> 2. then nmap showed no problems, but
> 3. rkhunter suggested some hidden files in /dev needed to be looked at.
> 4. /dev/.static is a problem.
/dev/.static is a normal part of the system; udev moves the static /dev
directory to /dev/.static/dev when it starts up. Don't remove it.
> I removed two other suspicious directories, including a file in /etc ....
> /etc/.pwd.lock
That's also normal; it's used by the lckpwdf() libc function to protect
against access to the shadow password file. You can remove it if you
like, but it'll be recreated the next time something calls lckpwdf().
Cheers,
--
Colin Watson [cjwatson at ubuntu.com]
More information about the ubuntu-users
mailing list