trojan - removal problems

Tim Frost timfrost at
Fri Jan 27 08:52:17 UTC 2006

On Fri, 2006-01-27 at 16:31 +0800, Brian Walker wrote:
> To complete the topic - and many thanks for the advice so far:
> 1. /dev/.static/dev/ was perceived as a threat (rkhunter)

Not a problem.   rkhunter is too sensitive to "hidden" directories.
Because /dev is dynamically created, you need to tell rkhunter to ignore

> 2. I umounted /dev/.static/dev and rm -R that directory, cd back
> to .static and was able to rm -R that directory too. 
> 3. nmap previously showed trinoo and a whole host of nasties
> listening, but I suspect they were less able to "perform" due to
> Bastille being fairly well configured, but ...
> 4. rebooting showed .static has reappeared, and with it the trinoo
> scenario. (Also showed that removing that directory was not a problem
> with booting, and I suspect even more than ever that infestation with
> trinoo will lead to a seemingly innoucuous directory being created, If
> you do see the signs, do rkhunter -c and check the hidden files. It
> will NOT show up as a named threat on the scan)

Configure rkhunter to ignore the dynamically-generated directories.
> I have already performed 2 clean installs, and the trojan persists. I
> can clear it, and scanning shows it to be under control, but I need to
> wipe it off the face of my disk. 
> Question: if a clean install fails to do it, what else can I do?
> (Off for a four day break - I would appreciate your replies, but do
> not feel me discourteous if I do not reply immediately)
> Brian

More information about the ubuntu-users mailing list