trojan - removal problems
timfrost at xtra.co.nz
Fri Jan 27 08:52:17 UTC 2006
On Fri, 2006-01-27 at 16:31 +0800, Brian Walker wrote:
> To complete the topic - and many thanks for the advice so far:
> 1. /dev/.static/dev/ was perceived as a threat (rkhunter)
Not a problem. rkhunter is too sensitive to "hidden" directories.
Because /dev is dynamically created, you need to tell rkhunter to ignore
> 2. I umounted /dev/.static/dev and rm -R that directory, cd back
> to .static and was able to rm -R that directory too.
> 3. nmap previously showed trinoo and a whole host of nasties
> listening, but I suspect they were less able to "perform" due to
> Bastille being fairly well configured, but ...
> 4. rebooting showed .static has reappeared, and with it the trinoo
> scenario. (Also showed that removing that directory was not a problem
> with booting, and I suspect even more than ever that infestation with
> trinoo will lead to a seemingly innoucuous directory being created, If
> you do see the signs, do rkhunter -c and check the hidden files. It
> will NOT show up as a named threat on the scan)
Configure rkhunter to ignore the dynamically-generated directories.
> I have already performed 2 clean installs, and the trojan persists. I
> can clear it, and scanning shows it to be under control, but I need to
> wipe it off the face of my disk.
> Question: if a clean install fails to do it, what else can I do?
> (Off for a four day break - I would appreciate your replies, but do
> not feel me discourteous if I do not reply immediately)
More information about the ubuntu-users