Looks 0wn3d to me.  :(  The trojan probably put in some hack
processes, hid them, and installed its own shell to run a script to
take down the box.   That's my guess anyway.  I wouldn't
trust the machine from this point forward, given the fact that
chkrootkit is very trustworthy.   <br>
<br>
Marc<br>
<br>
<br><br><div><span class="gmail_quote">On 4/14/05, <b class="gmail_sendername"><a href="mailto:kevin.j.lisciotti@jpmchase.com">kevin.j.lisciotti@jpmchase.com</a></b> <<a href="mailto:kevin.j.lisciotti@jpmchase.com">kevin.j.lisciotti@jpmchase.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">|---------+------------------------------><br>|        
|          
kevin.j.lisciotti@j|<br>|        
|          
<a href="http://pmchase.com">pmchase.com</a>        |<br>|        
|           Sent
by:           |<br>|        
|          
fedora-list-bounces|<br>|        
|          
@<a href="http://redhat.com">redhat.com</a>        |<br>|        
|                              |<br>|        
|                              |<br>|        
|          
04/14/2005 02:58 PM|<br>|        
|           Please
respond to  |<br>|        
|           For users
of Fedora|<br>|        
|           Core
releases      |<br>|        
|                              |<br>|---------+------------------------------><br>  >--------------------------------------------------------------------------------------------------------------|<br>  |                                                                                                              |
<br>  |      
To:       For users of Fedora Core
releases
<<a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>>                                  
|<br>  |      
cc:       "'For users of Fedora Core
releases'"
<<a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>>,                              |<br>  |        <a href="mailto:fedora-list-bounces@redhat.com">fedora-list-bounces@redhat.com</a>                                                                        |
<br>  |      
Subject:  RE: Network
problems                                                                        
|<br>  >--------------------------------------------------------------------------------------------------------------|<br><br><br>|---------+------------------------------><br>|        
|           "Thomas
E. Dukes"  |<br>|        
|          
<<a href="mailto:edukes@alltel.net">edukes@alltel.net</a>>|<br>|        
|           Sent
by:           |<br>|        
|          
fedora-list-bounces|<br>|        
|          
@<a href="http://redhat.com">redhat.com</a>        |<br>|        
|                              |<br>|        
|                              |<br>|        
|          
04/14/2005 02:49 PM|<br>|        
|           Please
respond to  |<br>|        
|           For users
of Fedora|<br>|        
|           Core
releases      |<br>|        
|                              |<br>|---------+------------------------------><br><br>>--------------------------------------------------------------------------------------------------------------|<br><br>  |<br>|
<br>  |      
To:       "'Marc M'"
<<a href="mailto:linuxr@gmail.com">linuxr@gmail.com</a>>, "'For users of Fedora<br>Core releases'" <<a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a>>|<br>  |       cc:<br>|<br>  |       Subject:  RE: Network problems
<br>|<br><br>>--------------------------------------------------------------------------------------------------------------|<br><br> From: <a href="mailto:fedora-list-bounces@redhat.com">fedora-list-bounces@redhat.com
</a><br> [mailto:<a href="mailto:fedora-list-bounces@redhat.com">fedora-list-bounces@redhat.com</a>] On Behalf Of Marc M<br> Sent: Thursday, April 14, 2005 1:38 PM<br> To: For users of Fedora Core releases<br> Subject: Re: Network problems
<br><br> Are the lights on, on the switch's ports that you are using?   Have you<br> rebooted the switch?   Are you able to connect with other machines or<br> ports (say  a laptop)?  Is the light working on the nic?  Cabling good?
<br> If you have multiple nics you should stop/start them and see if you can<br> get one to work, sometimes one works when another won't.  service network<br> stop, ifup eth0, ifup eth1, etc.   Look at your dmesg and see whether it
<br> finds your eth0 or eth1, that'd be nice to know....<br><br> If you are able to narrow it down to the one FC2 box (and within the os),<br> then I would say that lastly you should run a chkrootkit utility on the<br> box to see if you have been own3d.
<br><br> I ran chrootkit and I found this:<br><br> Checking `bindshell'... INFECTED (PORTS:  1524 31337)<br> Checking `lkm'... You have    12 process hidden for readdir command<br> You have    12 process hidden for ps command
<br> Warning: Possible LKM Trojan installed<br><br> This looks like a problem!!  What is bindshell?  I did a locate but could<br> not find it installed.  What do I need to do?<br><br> TIA<br> Cheers<br> Marc<br><br> It appears as though you have been hacked aka 0wn3d :) You better back up
<br> your data and rebuild the system.<br><br>As a followup, can you telnet to the ports indicated, and what do you see?<br><br>--<br>fedora-list mailing list<br><a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com
</a><br>To unsubscribe: <a href="http://www.redhat.com/mailman/listinfo/fedora-list">http://www.redhat.com/mailman/listinfo/fedora-list</a><br></blockquote></div><br>