Looks 0wn3d to me. :( The trojan probably put in some hack
processes, hid them, and installed its own shell to run a script to
take down the box. That's my guess anyway. I wouldn't
trust the machine from this point forward, given the fact that
chkrootkit is very trustworthy. <br>
<br>
Marc<br>
<br>
<br><br><div><span class="gmail_quote">On 4/14/05, <b class="gmail_sendername"><a href="mailto:kevin.j.lisciotti@jpmchase.com">kevin.j.lisciotti@jpmchase.com</a></b> <<a href="mailto:kevin.j.lisciotti@jpmchase.com">kevin.j.lisciotti@jpmchase.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">|---------+------------------------------><br>|
|
kevin.j.lisciotti@j|<br>|
|
<a href="http://pmchase.com">pmchase.com</a> |<br>|
| Sent
by: |<br>|
|
fedora-list-bounces|<br>|
|
@<a href="http://redhat.com">redhat.com</a> |<br>|
| |<br>|
| |<br>|
|
04/14/2005 02:58 PM|<br>|
| Please
respond to |<br>|
| For users
of Fedora|<br>|
| Core
releases |<br>|
| |<br>|---------+------------------------------><br> >--------------------------------------------------------------------------------------------------------------|<br> | |
<br> |
To: For users of Fedora Core
releases
<<a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>>
|<br> |
cc: "'For users of Fedora Core
releases'"
<<a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>>, |<br> | <a href="mailto:fedora-list-bounces@redhat.com">fedora-list-bounces@redhat.com</a> |
<br> |
Subject: RE: Network
problems
|<br> >--------------------------------------------------------------------------------------------------------------|<br><br><br>|---------+------------------------------><br>|
| "Thomas
E. Dukes" |<br>|
|
<<a href="mailto:edukes@alltel.net">edukes@alltel.net</a>>|<br>|
| Sent
by: |<br>|
|
fedora-list-bounces|<br>|
|
@<a href="http://redhat.com">redhat.com</a> |<br>|
| |<br>|
| |<br>|
|
04/14/2005 02:49 PM|<br>|
| Please
respond to |<br>|
| For users
of Fedora|<br>|
| Core
releases |<br>|
| |<br>|---------+------------------------------><br><br>>--------------------------------------------------------------------------------------------------------------|<br><br> |<br>|
<br> |
To: "'Marc M'"
<<a href="mailto:linuxr@gmail.com">linuxr@gmail.com</a>>, "'For users of Fedora<br>Core releases'" <<a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>>|<br> | cc:<br>|<br> | Subject: RE: Network problems
<br>|<br><br>>--------------------------------------------------------------------------------------------------------------|<br><br> From: <a href="mailto:fedora-list-bounces@redhat.com">fedora-list-bounces@redhat.com
</a><br> [mailto:<a href="mailto:fedora-list-bounces@redhat.com">fedora-list-bounces@redhat.com</a>] On Behalf Of Marc M<br> Sent: Thursday, April 14, 2005 1:38 PM<br> To: For users of Fedora Core releases<br> Subject: Re: Network problems
<br><br> Are the lights on, on the switch's ports that you are using? Have you<br> rebooted the switch? Are you able to connect with other machines or<br> ports (say a laptop)? Is the light working on the nic? Cabling good?
<br> If you have multiple nics you should stop/start them and see if you can<br> get one to work, sometimes one works when another won't. service network<br> stop, ifup eth0, ifup eth1, etc. Look at your dmesg and see whether it
<br> finds your eth0 or eth1, that'd be nice to know....<br><br> If you are able to narrow it down to the one FC2 box (and within the os),<br> then I would say that lastly you should run a chkrootkit utility on the<br> box to see if you have been own3d.
<br><br> I ran chrootkit and I found this:<br><br> Checking `bindshell'... INFECTED (PORTS: 1524 31337)<br> Checking `lkm'... You have 12 process hidden for readdir command<br> You have 12 process hidden for ps command
<br> Warning: Possible LKM Trojan installed<br><br> This looks like a problem!! What is bindshell? I did a locate but could<br> not find it installed. What do I need to do?<br><br> TIA<br> Cheers<br> Marc<br><br> It appears as though you have been hacked aka 0wn3d :) You better back up
<br> your data and rebuild the system.<br><br>As a followup, can you telnet to the ports indicated, and what do you see?<br><br>--<br>fedora-list mailing list<br><a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com
</a><br>To unsubscribe: <a href="http://www.redhat.com/mailman/listinfo/fedora-list">http://www.redhat.com/mailman/listinfo/fedora-list</a><br></blockquote></div><br>