trojan - removal problems

Brian Walker bfwalker at
Thu Jan 26 08:27:10 UTC 2006

On 26/01/06, Billy Verreynne (JW) <VerreyB at> wrote:
> Peter Garrett wrote:
> ==
> root at prospero:/dev # fuser .static/dev/*
> .static/dev/fd:      25148
> .static/dev/stderr:  22529 25134 25148
> .static/dev/stdin:   22529 25134 25148
> .static/dev/stdout:  22529 25134 25148
> ==
> Ditto. That is what I see to.
> Brian, it is not a great idea deleting stuff in /dev. However, the
> /dev tree can be rebuild use /dev/MAKEDEV. But this script differs
> from distrib to distrib so better manpage it before trying it.
> Hmm.. also maybe a good idea to do this at the console after having
> booted into single user mode.
> netstat and lsof also may be interesting for you as a trojan will
> surely attempt network access - listening on a UDP ot TCP port...?
Yes - here is what I have

1. currently  listening on 27665 is trojan trinoo_master. (UDP idle scan
using nmap)
2. rebooting netstat -tlp shows udp ports open and listening on 8265, 8218
and 8419.
3. fuser shows that the directory /dev/.static/dev/ is NOT a directory, at
least, it is not the directory I think it should be

I will boot from Penguin sleuth and see more details, before deleting the
/dev/.static/ directory, then (if I can reboot!) recheck as before.

On googling for trinoo_master, I see very little about what to do, where the
beast hides, and therefore not much can be done to remove it. Having done a
clean install I still find traces of the beast. Therefore, tracking down the
beast's lair and destroying is the way forward. So far, there is no report
that I know of to say where we can likely find the lair.

My supposition is that trinoo_master lurks in this seemingly correct
directory, and is therefore an ongoing threat to my computer.

Follow-up later!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the ubuntu-users mailing list