trojan - removal problems

Billy Verreynne (JW) VerreyB at
Thu Jan 26 09:37:44 UTC 2006

Brian Walker wrote:

Yes - here is what I have

1. currently  listening on 27665 is trojan trinoo_master. (UDP idle
scan using nmap)
2. rebooting netstat -tlp shows udp ports open and listening on 8265,
8218 and 8419.
3. fuser shows that the directory /dev/.static/dev/ is NOT a
directory, at least, it is not the directory I think it should be

A file handle (which is what a socket handle also is) is owned by a
process image in the kernel.. unless I'm mistaken?

Thus with netstat/lsof you should be able to uncover the Unix PID(s)
of the trojan. Once you have that you can use that to track down the
executable image on disk that was loaded as the process image into the
kernel. Assuming of course that it has not injected/rootkit'ed actual
valid process executables (or even shared libs - which is what I would
aim for if I was writing a backdoor).

Another idea.. MD5 checksums. These should be available for valid o/s
executables. You can do a comparison. Or why not force re-install the
Ubuntu packages you believe is infected? That should remove and
replace the infected file(s) .

Also, disable all services. Even networking. Boot into console mode
(why does Debian not treat init level 3 as multi-user non-X and level
5 as multi-user X?) to make sure that the absolute bare minimum is

Then enable services manually one by one using netstat/lsof/ps to keep
track of what processes are started and what they do.


This e-mail and its contents are subject to the Telkom SA Limited
e-mail legal notice available at

More information about the ubuntu-users mailing list