I think i have a linux trojan!

jdini76 · Oct 24, 2002

Ok, here is the problem. My box has been acting weird lately, when ever i do a ps -ef i am not able to see any of my processes. also I get weird mail messages stating that mail has been sent back to my computer because the destination address is unknown. and the e-mail contains all information about my system state. It usually happens when I reboot the server. What do i do? I really don't understand how it got on there, it is a fresh install of redhat 7.2. Is there a way to see my proccesses? so I can locate the running file? Any help would be greatly appreciated!

n0cmonkey · Oct 24, 2002

You did patch the system before putting it on the net right? This sounds like a not-so-advanced kernel module. Check to see if you have any you dont recognize. netstat -an will show you connections your system is currently making. lsof can show you what those processes are.

jdini76 · Oct 25, 2002

Thanks man,

I did what you said, and I see things running, but I don't know what is supposed to be there. I have included the netstat with this post. could you take a look and let me know if anything is out of the ordinary? I see a lot of things running from my /tmp directory, but i don't really know if it should be there or not. thanks

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
udp 0 0 192.168.1.2:137 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.2:138 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 0.0.0.0:161 0.0.0.0:*
udp 0 0 0.0.0.0:3049 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 13 [ ] DGRAM 1087 /dev/log
unix 2 [ ACC ] STREAM LISTENING 1532 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 2266 /tmp/.fam_socket
unix 2 [ ACC ] STREAM LISTENING 1910 /tmp/.sawfish-joe/optimus.Cybertron.joe-shmoe.com:0.0
unix 2 [ ACC ] STREAM LISTENING 2281 /tmp/orbit-joe/orb-281288151197129365
unix 2 [ ACC ] STREAM LISTENING 2062 /tmp/orbit-joe/orb-460575787418643042
unix 2 [ ACC ] STREAM LISTENING 2073 /tmp/orbit-joe/orb-613782641346152204
unix 2 [ ACC ] STREAM LISTENING 2091 /tmp/orbit-joe/orb-2702098501191095947
unix 2 [ ACC ] STREAM LISTENING 2098 /tmp/orbit-joe/orb-752467062922421828
unix 2 [ ACC ] STREAM LISTENING 2127 /tmp/orbit-joe/orb-79728072878740721
unix 2 [ ACC ] STREAM LISTENING 2142 /tmp/orbit-joe/orb-966890674575668901
unix 2 [ ACC ] STREAM LISTENING 2204 /tmp/orbit-joe/orb-16726292811050342911
unix 2 [ ACC ] STREAM LISTENING 2216 /tmp/orbit-joe/orb-1357028334302018824
unix 2 [ ACC ] STREAM LISTENING 2329 /tmp/orbit-joe/orb-1992341256893642291
unix 2 [ ACC ] STREAM LISTENING 1436 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 2351 /tmp/orbit-joe/orb-868913748745685251
unix 2 [ ACC ] STREAM LISTENING 2360 /tmp/orbit-joe/orb-1030099971200109261
unix 2 [ ACC ] STREAM LISTENING 2368 /tmp/orbit-joe/orb-4977178411792269102
unix 2 [ ACC ] STREAM LISTENING 2580 /tmp/orbit-joe/orb-21375408581529928428
unix 2 [ ACC ] STREAM LISTENING 1744 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 1861 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 2604
unix 3 [ ] STREAM CONNECTED 2603
unix 3 [ ] STREAM CONNECTED 2602
unix 3 [ ] STREAM CONNECTED 2601
unix 3 [ ] STREAM CONNECTED 2583 /tmp/orbit-joe/orb-752467062922421828
unix 3 [ ] STREAM CONNECTED 2582
unix 3 [ ] STREAM CONNECTED 2576 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 2575
unix 3 [ ] STREAM CONNECTED 2572 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2571
unix 3 [ ] STREAM CONNECTED 2568 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2567
unix 3 [ ] STREAM CONNECTED 2566 /tmp/orbit-joe/orb-1992341256893642291
unix 3 [ ] STREAM CONNECTED 2565
unix 3 [ ] STREAM CONNECTED 2511 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2510
unix 3 [ ] STREAM CONNECTED 2509 /tmp/orbit-joe/orb-1030099971200109261
unix 3 [ ] STREAM CONNECTED 2508
unix 3 [ ] STREAM CONNECTED 2507 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2506
unix 3 [ ] STREAM CONNECTED 2505 /tmp/orbit-joe/orb-4977178411792269102
unix 3 [ ] STREAM CONNECTED 2504
unix 3 [ ] STREAM CONNECTED 2503 /tmp/.famSxGkE6
unix 3 [ ] STREAM CONNECTED 2502
unix 3 [ ] STREAM CONNECTED 2495 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2494
unix 3 [ ] STREAM CONNECTED 2493 /tmp/orbit-joe/orb-868913748745685251
unix 3 [ ] STREAM CONNECTED 2492
unix 3 [ ] STREAM CONNECTED 2488 /tmp/orbit-joe/orb-1992341256893642291
unix 3 [ ] STREAM CONNECTED 2487
unix 3 [ ] STREAM CONNECTED 2486 /tmp/orbit-joe/orb-1030099971200109261
unix 3 [ ] STREAM CONNECTED 2485
unix 3 [ ] STREAM CONNECTED 2484 /tmp/orbit-joe/orb-4977178411792269102
unix 3 [ ] STREAM CONNECTED 2482
unix 3 [ ] STREAM CONNECTED 2477 /tmp/orbit-joe/orb-868913748745685251
unix 3 [ ] STREAM CONNECTED 2475
unix 3 [ ] STREAM CONNECTED 2459 /tmp/orbit-joe/orb-1030099971200109261
unix 3 [ ] STREAM CONNECTED 2458
unix 3 [ ] STREAM CONNECTED 2457 /tmp/orbit-joe/orb-4977178411792269102
unix 3 [ ] STREAM CONNECTED 2456
unix 3 [ ] STREAM CONNECTED 2455 /tmp/orbit-joe/orb-966890674575668901
unix 3 [ ] STREAM CONNECTED 2447
unix 3 [ ] STREAM CONNECTED 2445 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2444
unix 3 [ ] STREAM CONNECTED 2453 /tmp/orbit-joe/orb-966890674575668901
unix 3 [ ] STREAM CONNECTED 2437
unix 3 [ ] STREAM CONNECTED 2435 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2434
unix 3 [ ] STREAM CONNECTED 2426 /tmp/orbit-joe/orb-868913748745685251
unix 3 [ ] STREAM CONNECTED 2425
unix 3 [ ] STREAM CONNECTED 2422 /tmp/orbit-joe/orb-966890674575668901
unix 3 [ ] STREAM CONNECTED 2421
unix 3 [ ] STREAM CONNECTED 2418 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2417
unix 3 [ ] STREAM CONNECTED 2407 /tmp/orbit-joe/orb-1992341256893642291
unix 3 [ ] STREAM CONNECTED 2406
unix 3 [ ] STREAM CONNECTED 2405 /tmp/orbit-joe/orb-966890674575668901
unix 3 [ ] STREAM CONNECTED 2404
unix 3 [ ] STREAM CONNECTED 2401 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2400
unix 3 [ ] STREAM CONNECTED 2382 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2380
unix 3 [ ] STREAM CONNECTED 2376 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2375
unix 3 [ ] STREAM CONNECTED 2373 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2372
unix 3 [ ] STREAM CONNECTED 2365 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2364
unix 3 [ ] STREAM CONNECTED 2310 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2309
unix 3 [ ] STREAM CONNECTED 2308 /tmp/orbit-joe/orb-281288151197129365
unix 3 [ ] STREAM CONNECTED 2307
unix 3 [ ] STREAM CONNECTED 2306 /tmp/orbit-joe/orb-281288151197129365
unix 3 [ ] STREAM CONNECTED 2304
unix 3 [ ] STREAM CONNECTED 2303 /tmp/orbit-joe/orb-281288151197129365
unix 3 [ ] STREAM CONNECTED 2302
unix 3 [ ] STREAM CONNECTED 2301 /tmp/orbit-joe/orb-966890674575668901
unix 3 [ ] STREAM CONNECTED 2300
unix 3 [ ] STREAM CONNECTED 2297 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2296
unix 3 [ ] STREAM CONNECTED 2286 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2285
unix 3 [ ] STREAM CONNECTED 2272 /tmp/.fam4zzgvv
unix 3 [ ] STREAM CONNECTED 2271
unix 3 [ ] STREAM CONNECTED 2244 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2243
unix 3 [ ] STREAM CONNECTED 2237 /tmp/orbit-joe/orb-1357028334302018824
unix 3 [ ] STREAM CONNECTED 2234
unix 3 [ ] STREAM CONNECTED 2233 /tmp/orbit-joe/orb-613782641346152204
unix 3 [ ] STREAM CONNECTED 2232
unix 3 [ ] STREAM CONNECTED 2228 /tmp/orbit-joe/orb-752467062922421828
unix 3 [ ] STREAM CONNECTED 2227
unix 3 [ ] STREAM CONNECTED 2226 /tmp/orbit-joe/orb-16726292811050342911
unix 3 [ ] STREAM CONNECTED 2222
unix 3 [ ] STREAM CONNECTED 2221 /tmp/orbit-joe/orb-613782641346152204
unix 3 [ ] STREAM CONNECTED 2220
unix 3 [ ] STREAM CONNECTED 2212 /tmp/orbit-joe/orb-752467062922421828
unix 3 [ ] STREAM CONNECTED 2211
unix 3 [ ] STREAM CONNECTED 2208 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2207
unix 3 [ ] STREAM CONNECTED 2201 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2200
unix 3 [ ] STREAM CONNECTED 2165 /tmp/orbit-joe/orb-2702098501191095947
unix 3 [ ] STREAM CONNECTED 2164
unix 3 [ ] STREAM CONNECTED 2163 /tmp/orbit-joe/orb-966890674575668901
unix 3 [ ] STREAM CONNECTED 2157
unix 3 [ ] STREAM CONNECTED 2156 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2155
unix 2 [ ] DGRAM 2141
unix 3 [ ] STREAM CONNECTED 2138 /tmp/orbit-joe/orb-79728072878740721
unix 3 [ ] STREAM CONNECTED 2134
unix 3 [ ] STREAM CONNECTED 2115 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 2114
unix 3 [ ] STREAM CONNECTED 2111 /tmp/orbit-joe/orb-752467062922421828
unix 3 [ ] STREAM CONNECTED 2110
unix 3 [ ] STREAM CONNECTED 2102 /tmp/orbit-joe/orb-752467062922421828
unix 3 [ ] STREAM CONNECTED 2100
unix 3 [ ] STREAM CONNECTED 2096 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2095
unix 3 [ ] STREAM CONNECTED 2088 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2087
unix 2 [ ] DGRAM 2086
unix 3 [ ] STREAM CONNECTED 2070 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 2069
unix 3 [ ] STREAM CONNECTED 2066 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2065
unix 3 [ ] STREAM CONNECTED 2059 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2058
unix 3 [ ] STREAM CONNECTED 2060 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 2055
unix 3 [ ] STREAM CONNECTED 2052 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2051
unix 3 [ ] STREAM CONNECTED 1987 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 1986
unix 3 [ ] STREAM CONNECTED 1906 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 1905
unix 3 [ ] STREAM CONNECTED 1882 /tmp/.ICE-unix/1417
unix 3 [ ] STREAM CONNECTED 1881
unix 3 [ ] STREAM CONNECTED 1880 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 1879
unix 3 [ ] STREAM CONNECTED 1866 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 1865
unix 3 [ ] STREAM CONNECTED 1765 /tmp/.font-unix/fs7100
unix 3 [ ] STREAM CONNECTED 1764
unix 4 [ ] STREAM CONNECTED 1767 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 1746
unix 2 [ ] DGRAM 1651
unix 2 [ ] DGRAM 1535
unix 2 [ ] DGRAM 1491
unix 2 [ ] DGRAM 1415
unix 2 [ ] DGRAM 1360
unix 2 [ ] DGRAM 1358
unix 2 [ ] DGRAM 1284
unix 2 [ ] DGRAM 1237
unix 2 [ ] DGRAM 1099
unix 2 [ ] STREAM CONNECTED 623

n0cmonkey · Oct 25, 2002

Originally posted by: jdini76
Thanks man,

I did what you said, and I see things running, but I don't know what is supposed to be there. I have included the netstat with this post. could you take a look and let me know if anything is out of the ordinary? I see a lot of things running from my /tmp directory, but i don't really know if it should be there or not. thanks

The /tmp stuff looks fine, but dont quote me on that. I havent looked at a machine running X in a while

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN

This looks fishy, but since its on loopback I wouldnt worry too much.

tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN

This SWAT?? If you arent running SAMBA, look into this.

tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN

Recognize SMUX? I dont. This could be a bad one.

tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN

Looks like you are running SAMBA

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

RPC... This is bad to run unless you need it.

tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN

X Windows.

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN

SOCKS proxy?

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN

Webserver?

tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN

Identd?

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

SSH?

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN

sendmail/postfix/qmail/exim?

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN

https?

udp 0 0 192.168.1.2:137 0.0.0.0:*
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 192.168.1.2:138 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*

I think these are all SAMBA related...

udp 0 0 0.0.0.0:161 0.0.0.0:*

SNMP?

udp 0 0 0.0.0.0:3049 0.0.0.0:*

NSWS?!

udp 0 0 0.0.0.0:111 0.0.0.0:*

RPC again...

My guesses are:
1. You installed RH and software and got ont he net without a firewall in place.
2. You installed RH and software and did not patch or use the latest versions and a service you are running is vulnerable (apache chunking? openssl on your webserver?)
3. You installed RH and software, remembered to patch the system, but forgot about the rest of the software.

From the output I quoted above, it looks like you do not know how to lockdown a linux machine. It is pretty simple and quick (if you know what you are doing

),. And there are plenty of texts available on the subject. If I get a chance I will write something up. Give me a run-down on what the machine is supposed to do. My advice is to reinstall at this point, but only after reading one of the available texts.

manly · Oct 25, 2002

Improved signal-to-noise ratio:

# netstat --inet -ap | grep LISTEN

Although for some inapparent reason to me, --inet sometimes is not comprehensive. For example, my Java-based listening servers don't seem to show up. Neither does sshd?

The workaround is to instead specify the TCP protocol option --tcp.

n0cmonkey · Oct 25, 2002

Originally posted by: manly
Improved signal-to-noise ratio:

# netstat --inet -ap | grep LISTEN

Although for some inapparent reason to me, --inet sometimes is not comprehensive. For example, my Java-based listening servers don't seem to show up. Neither does sshd?

The workaround is to instead specify the TCP protocol option --tcp.

That does not show which program is listening for me.

EDIT: Actually it doesnt work unless I drop the -ap

manly · Oct 25, 2002

Originally posted by: n0cmonkey

Originally posted by: manly
Improved signal-to-noise ratio:

# netstat --inet -ap | grep LISTEN

Although for some inapparent reason to me, --inet sometimes is not comprehensive. For example, my Java-based listening servers don't seem to show up. Neither does sshd?

The workaround is to instead specify the TCP protocol option --tcp.

Click to expand...

That does not show which program is listening for me.

EDIT: Actually it doesnt work unless I drop the -ap

I don't know what OS you're using, but here's a snippet from my man page:

-p, --program
Show the PID and name of the program to which each socket
belongs.

n0cmonkey · Oct 25, 2002

Originally posted by: manly

Originally posted by: n0cmonkey

Originally posted by: manly
Improved signal-to-noise ratio:

# netstat --inet -ap | grep LISTEN

Although for some inapparent reason to me, --inet sometimes is not comprehensive. For example, my Java-based listening servers don't seem to show up. Neither does sshd?

The workaround is to instead specify the TCP protocol option --tcp.

Click to expand...

That does not show which program is listening for me.

EDIT: Actually it doesnt work unless I drop the -ap

Click to expand...

I don't know what OS you're using, but here's a snippet from my man page:

-p, --program
Show the PID and name of the program to which each socket
belongs.

Click to expand...

I dont have that option, but its great to know

manly · Oct 25, 2002

Originally posted by: n0cmonkey

I dont have that option, but its great to know

I don't know who actually maintains this netstat (SuSE Linux has had that option for ages) but I'll throw in the obligatory:

God bless GNU tools.

n0cmonkey · Oct 25, 2002

Originally posted by: manly

Originally posted by: n0cmonkey

I dont have that option, but its great to know

Click to expand...

I don't know who actually maintains this netstat (SuSE Linux has had that option for ages) but I'll throw in the obligatory:

God bless GNU tools.

I prefer different tools for different jobs, the way Unix was built

Anyhow, one of the main reasons (besides the fact I didnt know netstat does more than it has to) I recommended using lsof was because it probably is not on the system right now. So if there is an elf trojan or something going around, it might be the best way to go. Of fcourse, having this, and other tools on a bootable cdrom would make life easier too.

jdini76 · Oct 25, 2002

thanks guys... I am new to admining my own machine, and it is behind a linksys router/firewall. I know it's not the greatest but i would imagine it would help somewhat. Anyway thanks for the info. I just basicly use it as a webserver. I did have it set up as a mail server as well, but I think i am going to do away with that because it would be too much trouble for as little mail I receive.

n0cmonkey · Oct 26, 2002

Originally posted by: jdini76
thanks guys... I am new to admining my own machine, and it is behind a linksys router/firewall. I know it's not the greatest but i would imagine it would help somewhat. Anyway thanks for the info. I just basicly use it as a webserver. I did have it set up as a mail server as well, but I think i am going to do away with that because it would be too much trouble for as little mail I receive.

Then it was probably an apache or OpenSSL vuln, if it was broken into.

Search

I think i have a linux trojan!

jdini76

Platinum Member

n0cmonkey

Elite Member

jdini76

Platinum Member

n0cmonkey

Elite Member

manly

Lifer

n0cmonkey

Elite Member

manly

Lifer

n0cmonkey

Elite Member

manly

Lifer

n0cmonkey

Elite Member

jdini76

Platinum Member

n0cmonkey

Elite Member

TRENDING THREADS