Results 1 to 8 of 8

Thread: my linux box has been cracked

  1. #1
    Junior Member
    Join Date
    Apr 2002
    Posts
    9

    my linux box has been cracked

    someone got into my linux box and installed a process which does a port scan periodically.
    I stopped the port scan with an ip-chain command. I cannot find the infected binary or process however.

    Does anyone have advice on this issue?

    thank you
    mike

  2. #2
    could be using hidden files-search for them. also if you know when they got it search for files which were mod or new around that same time they got in. also if you look in top it doesnt give any sort of name?

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    317
    If you are to kill the process "kill -9 pid" will it auto restart? If it does, you will will want to check your cron entries. More often than not, you will find an entry that you just know should not be there.

    Hope this helps and good luck.
    Regards

    <edit>
    I use FreeBSD and the cron entries are invoked through /etc/crontab which will also invoke items from /var/cron/tabs to be run automatically. I don't know if this translates the same to linux, but most certainly worth looking at.
    </edit>
    \"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"


  4. #4
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    It could be a trojan, which port scans and then runs the normal program. Run a virus/trojan scan against all the binaries in your $PATH directories, maybe...

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    If your box has been compromised, you should do a clean reinstall. There's just so many ways to hide backdoors, rootkits and etc...

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Ammo is right you are going to have to do a clean re-install.

    Do you have chkrootkit ? if not you can download it from here http://www.chkrootkit.org. It is a small program that will scan your system for commonly installed rootkits (trojans) and if you find what you have been infected by, you may be able to do some research as to how it was put there in the first place and safe guard against it happening again.

    If you haven't already, make sure you download all the updates for your Linux Distro and apply them when you get your system back up and running.

    Good luck.

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Personally, I go along with what Ammo says. The only way to guarantee system security is by FFRing. FFR stands for FDISK (as in, delete your partitions), FORMAT (as in, recreate the partitions freshly formatted), REINSTALL.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Junior Member
    Join Date
    Jul 2002
    Posts
    8
    Does anyone have advice on this issue?

    I agree too re-install and next time install Aide or Tripwire so you'll know what was added and what
    files were modified.

    Sharky

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •