-
July 10th, 2002, 08:08 PM
#1
Junior Member
my linux box has been cracked
someone got into my linux box and installed a process which does a port scan periodically.
I stopped the port scan with an ip-chain command. I cannot find the infected binary or process however.
Does anyone have advice on this issue?
thank you
mike
-
July 10th, 2002, 08:11 PM
#2
could be using hidden files-search for them. also if you know when they got it search for files which were mod or new around that same time they got in. also if you look in top it doesnt give any sort of name?
-
July 10th, 2002, 08:37 PM
#3
If you are to kill the process "kill -9 pid" will it auto restart? If it does, you will will want to check your cron entries. More often than not, you will find an entry that you just know should not be there.
Hope this helps and good luck.
Regards
<edit>
I use FreeBSD and the cron entries are invoked through /etc/crontab which will also invoke items from /var/cron/tabs to be run automatically. I don't know if this translates the same to linux, but most certainly worth looking at.
</edit>
\"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"
-
July 10th, 2002, 09:47 PM
#4
It could be a trojan, which port scans and then runs the normal program. Run a virus/trojan scan against all the binaries in your $PATH directories, maybe...
-
July 11th, 2002, 12:50 AM
#5
If your box has been compromised, you should do a clean reinstall. There's just so many ways to hide backdoors, rootkits and etc...
Ammo
Credit travels up, blame travels down -- The Boss
-
July 11th, 2002, 01:43 AM
#6
Ammo is right you are going to have to do a clean re-install.
Do you have chkrootkit ? if not you can download it from here http://www.chkrootkit.org. It is a small program that will scan your system for commonly installed rootkits (trojans) and if you find what you have been infected by, you may be able to do some research as to how it was put there in the first place and safe guard against it happening again.
If you haven't already, make sure you download all the updates for your Linux Distro and apply them when you get your system back up and running.
Good luck.
-
July 11th, 2002, 05:33 AM
#7
Personally, I go along with what Ammo says. The only way to guarantee system security is by FFRing. FFR stands for FDISK (as in, delete your partitions), FORMAT (as in, recreate the partitions freshly formatted), REINSTALL.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
July 11th, 2002, 05:58 AM
#8
Junior Member
Does anyone have advice on this issue?
I agree too re-install and next time install Aide or Tripwire so you'll know what was added and what
files were modified.
Sharky
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|