Network problems
Marc M
linuxr at gmail.com
Thu Apr 14 19:13:49 UTC 2005
Looks 0wn3d to me. :( The trojan probably put in some hack processes, hid
them, and installed its own shell to run a script to take down the box.
That's my guess anyway. I wouldn't trust the machine from this point
forward, given the fact that chkrootkit is very trustworthy.
Marc
On 4/14/05, kevin.j.lisciotti at jpmchase.com <kevin.j.lisciotti at jpmchase.com>
wrote:
>
> |---------+------------------------------>
> | | kevin.j.lisciotti at j|
> | | pmchase.com <http://pmchase.com> |
> | | Sent by: |
> | | fedora-list-bounces|
> | | @redhat.com <http://redhat.com> |
> | | |
> | | |
> | | 04/14/2005 02:58 PM|
> | | Please respond to |
> | | For users of Fedora|
> | | Core releases |
> | | |
> |---------+------------------------------>
>
> >--------------------------------------------------------------------------------------------------------------|
> | |
> | To: For users of Fedora Core releases <fedora-list at redhat.com> |
> | cc: "'For users of Fedora Core releases'" <fedora-list at redhat.com>, |
> | fedora-list-bounces at redhat.com |
> | Subject: RE: Network problems |
>
> >--------------------------------------------------------------------------------------------------------------|
>
>
> |---------+------------------------------>
> | | "Thomas E. Dukes" |
> | | <edukes at alltel.net>|
> | | Sent by: |
> | | fedora-list-bounces|
> | | @redhat.com <http://redhat.com> |
> | | |
> | | |
> | | 04/14/2005 02:49 PM|
> | | Please respond to |
> | | For users of Fedora|
> | | Core releases |
> | | |
> |---------+------------------------------>
>
>
> >--------------------------------------------------------------------------------------------------------------|
>
> |
> |
> | To: "'Marc M'" <linuxr at gmail.com>, "'For users of Fedora
> Core releases'" <fedora-list at redhat.com>|
> | cc:
> |
> | Subject: RE: Network problems
> |
>
>
> >--------------------------------------------------------------------------------------------------------------|
>
> From: fedora-list-bounces at redhat.com
> [mailto:fedora-list-bounces at redhat.com] On Behalf Of Marc M
> Sent: Thursday, April 14, 2005 1:38 PM
> To: For users of Fedora Core releases
> Subject: Re: Network problems
>
> Are the lights on, on the switch's ports that you are using? Have you
> rebooted the switch? Are you able to connect with other machines or
> ports (say a laptop)? Is the light working on the nic? Cabling good?
> If you have multiple nics you should stop/start them and see if you can
> get one to work, sometimes one works when another won't. service network
> stop, ifup eth0, ifup eth1, etc. Look at your dmesg and see whether it
> finds your eth0 or eth1, that'd be nice to know....
>
> If you are able to narrow it down to the one FC2 box (and within the os),
> then I would say that lastly you should run a chkrootkit utility on the
> box to see if you have been own3d.
>
> I ran chrootkit and I found this:
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
> Checking `lkm'... You have 12 process hidden for readdir command
> You have 12 process hidden for ps command
> Warning: Possible LKM Trojan installed
>
> This looks like a problem!! What is bindshell? I did a locate but could
> not find it installed. What do I need to do?
>
> TIA
> Cheers
> Marc
>
> It appears as though you have been hacked aka 0wn3d :) You better back up
> your data and rebuild the system.
>
> As a followup, can you telnet to the ports indicated, and what do you see?
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050414/73b48a6d/attachment-0001.htm>
More information about the fedora-list
mailing list