I don't think that there is a subseven trojan for Linux. Now there are lots of trojans, to be sure, but I don't think that subseven is one of them, it's Windows-only....
However if your system is comprimised it is a very serious matter. If you log into a compromised machine then it is safe to assume that they know all your passwords, and any other machine that you use the same passwords on have probably been hacked too.
The easiest way to clean them up is to take the machine down. Boot up with a live linux or rescue cdrom and backup your e-mail and any special configuration files that you put a lot of work into, and then format the operating system and restart from scratch. That's probably the safest and easiest thing to do.
However it would be realy realy helpfull to determine exactly how they comprimised your system. If your running a vintage Redhat install and never bothered to upgrade or install system patches then it's a pretty easy thing to comprimise your system. If your using a simple password (dictionary word or phrase, less then 8 characters in your password) then there is a decent chance that the cracker can use a brute force login attack on your system and succeed.
But before we start freaking out, how did you figure out that your machine has been comprimised? Did you run a nmap scan and it came up with port 27374 open?
If you use nmap and it finds a open port it will suggest common things that use that port. It does not mean that it knows what actually is running. Anything can be running on any port and even subseven can be made to listen to any port that you want it to.
What Redhat version are you running? If your running anything earlier then Redhat 9 and it's unpatched then it's a good chance that you've been owned. It's very very important that you keep up to date.
Common trojans/worms that listen on ports 27374: (from
here)
Bad Blood, Fake SubSeven, li0n, Ramen, Seeker, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8, SubSeven 2.2, SubSeven Muie, The Saint.
Out of those Li0n and Ramen are Linux worms that affect older unpatched Redhat (around 6.x, 7.x or so) systems.
In the future if you have a legacy Redhat system that you need to keep using for whatever reason check out the
fedora legacy project. However with Linux it is very important to keep somewhat up to date. Newer Redhat ES and AS style server operating systems have a garrenteed life of either 3 or 5 years or so (I can't remember which) so that you can go up to a few years between upgrades. If you don't want to pay for REdhat's service sceme then you have Suse and especially Debian that you can expect to be kept up to date security-wise and allow smooth upgrade path to newer versions. (something Debian does very well thru apt-get and online repositories)
For Li0n to infect your system you have to be running a BIND DNS server versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px.. If you have any of those versions running then it would be safe to assume that your system is toast. Ramen is pretty similar.
li0n
Ramen
I don't know exactly what to do, but if you give me more information I'll try to figure something else out. If your running a ancient Linux version it's time to upgrade now anyways. A easy thing to would to simply buy another harddrive for your server if that is pratical, they are fairly cheap... Pull out the old harddrive, pop the new one in, install your server on that. If you have a problem then you can simply move back to the old system...
Now you may not be infected with anything.. For instance if you have a lot of hits on your firewall on those ports, that's common and it doesn't mean anything.
determin running ports
again
how not to get hacked
linux security.com
linuxsecurity.com docs
reclaiming a comprimised system, from linux security quickstart.
Stuff like that. Once you've been roo
http://feenix.burgiss.net/ldp/...rusion.html#RECLAIMted it's about impossible to ever ensure that you can trust that system again. In Unix-land security violations have always been very nasty, you have things like LKM-based root kits that sit between the kernel and operating system and intercepts system calls to keep it's identity hidden, unless you boot up with a seperate boot disk with security features it's about impossible to find these...
chkrootkit tries to find these things...
More information would be nice if you want something more accurate..