[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: who owns the ports?

On Wed, 7 Feb 2001, Carl Brock Sides wrote:

> My immediate guess, upon seeing anything running on 31337, is that
> you've been "0wn3d", as the script kiddies put it, and maybe lsof has
> been trojaned not to list the attacker's processes.
> You are running lsof as root, right? It won't show you everything as an
> ordinary user.
> You don't say what version of Debian you're running. If you're running
> potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it:
> be8cf28300c29db5dffbea19fd613abf  /usr/sbin/lsof
> If that's not it, it's a trojan. I'd guess that other useful tools for
> finding out what's going on, e.g. ls and ps and fuser, have been
> trojaned as well. (Although you might want to try "fuser 31337/tcp",
> maybe the attacker forgot about it.)
> Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're
> interested in further investigation.

This may be not enough: recent rootkits install trojan libraries or even a
trojan kernel module, and intercept system calls directly, with no need to
tamper with tools. Therefore they are both more difficult to detect and
more difficult to clean. To be safe you need to boot from a safe kernel
and/or run statically linked utilities. A clean rescue cdrom is the safest



Giacomo Mulas <gmulas@ca.astro.it, gmulas@tiscalinet.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 216     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

Reply to: