trojan - removal problems
bfwalker at gmail.com
Thu Jan 26 08:27:10 UTC 2006
On 26/01/06, Billy Verreynne (JW) <VerreyB at telkom.co.za> wrote:
> Peter Garrett wrote:
> root at prospero:/dev # fuser .static/dev/*
> .static/dev/fd: 25148
> .static/dev/stderr: 22529 25134 25148
> .static/dev/stdin: 22529 25134 25148
> .static/dev/stdout: 22529 25134 25148
> Ditto. That is what I see to.
> Brian, it is not a great idea deleting stuff in /dev. However, the
> /dev tree can be rebuild use /dev/MAKEDEV. But this script differs
> from distrib to distrib so better manpage it before trying it.
> Hmm.. also maybe a good idea to do this at the console after having
> booted into single user mode.
> netstat and lsof also may be interesting for you as a trojan will
> surely attempt network access - listening on a UDP ot TCP port...?
Yes - here is what I have
1. currently listening on 27665 is trojan trinoo_master. (UDP idle scan
2. rebooting netstat -tlp shows udp ports open and listening on 8265, 8218
3. fuser shows that the directory /dev/.static/dev/ is NOT a directory, at
least, it is not the directory I think it should be
I will boot from Penguin sleuth and see more details, before deleting the
/dev/.static/ directory, then (if I can reboot!) recheck as before.
On googling for trinoo_master, I see very little about what to do, where the
beast hides, and therefore not much can be done to remove it. Having done a
clean install I still find traces of the beast. Therefore, tracking down the
beast's lair and destroying is the way forward. So far, there is no report
that I know of to say where we can likely find the lair.
My supposition is that trinoo_master lurks in this seemingly correct
directory, and is therefore an ongoing threat to my computer.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-users