trojan - removal problems

Brian Walker bfwalker at gmail.com
Thu Jan 26 08:27:10 UTC 2006


On 26/01/06, Billy Verreynne (JW) <VerreyB at telkom.co.za> wrote:
>
>
> Peter Garrett wrote:
> ==
> root at prospero:/dev # fuser .static/dev/*
> .static/dev/fd:      25148
> .static/dev/stderr:  22529 25134 25148
> .static/dev/stdin:   22529 25134 25148
> .static/dev/stdout:  22529 25134 25148
> ==
>
> Ditto. That is what I see to.
>
> Brian, it is not a great idea deleting stuff in /dev. However, the
> /dev tree can be rebuild use /dev/MAKEDEV. But this script differs
> from distrib to distrib so better manpage it before trying it.
>
> Hmm.. also maybe a good idea to do this at the console after having
> booted into single user mode.
>
>
> netstat and lsof also may be interesting for you as a trojan will
> surely attempt network access - listening on a UDP ot TCP port...?
>
>
Yes - here is what I have

1. currently  listening on 27665 is trojan trinoo_master. (UDP idle scan
using nmap)
2. rebooting netstat -tlp shows udp ports open and listening on 8265, 8218
and 8419.
3. fuser shows that the directory /dev/.static/dev/ is NOT a directory, at
least, it is not the directory I think it should be

I will boot from Penguin sleuth and see more details, before deleting the
/dev/.static/ directory, then (if I can reboot!) recheck as before.

On googling for trinoo_master, I see very little about what to do, where the
beast hides, and therefore not much can be done to remove it. Having done a
clean install I still find traces of the beast. Therefore, tracking down the
beast's lair and destroying is the way forward. So far, there is no report
that I know of to say where we can likely find the lair.

My supposition is that trinoo_master lurks in this seemingly correct
directory, and is therefore an ongoing threat to my computer.

Follow-up later!

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20060126/8719749a/attachment.html>


More information about the ubuntu-users mailing list