question from a newbie regarding possible trojan

To: debian-security@lists.debian.org
Subject: question from a newbie regarding possible trojan
From: Adrian Gheorghe <adrianghe@shaw.ca>
Date: Tue, 17 Sep 2002 00:36:13 -0700
Message-id: <[🔎] MFEEKFFDNFBDMGHGIEADMEPCCAAA.adrianghe@shaw.ca>
Reply-to: adrianghe@shaw.ca
In-reply-to: <[🔎] 20020914185756.GA31379@zionlth.org>

I have tracked a weird activity on my external interface lately (few days)
I used "snort", and the portscan.log file shows the following activity:

#tail portscan.log

Sep 17 00:21:41 <my ip>:1489 -> 207.46.197.113:80 SYN ******S*
Sep 17 00:21:42 <my ip>:1501 -> 207.46.197.113:80 SYN ******S*
Sep 17 00:21:58 <my ip>:1502 -> 207.46.196.102:80 SYN ******S*
Sep 17 00:21:58 <my ip>:1503 -> 207.46.196.102:80 SYN ******S*
Sep 17 00:21:58 <my ip>:1504 -> 207.68.184.62:80 SYN ******S*
Sep 17 00:22:22 <my ip>:1505 -> 207.46.235.162:80 SYN ******S*
Sep 17 00:24:21 <my ip>:1507 -> 24.71.223.43:110 SYN ******S*
Sep 17 00:24:24 <my ip>:1511 -> 142.58.120.21:110 SYN ******S*
Sep 17 00:25:49 <my ip>:1514 -> 207.46.235.150:80 SYN ******S*
Sep 17 00:25:55 <my ip>:1516 -> 209.11.107.14:80 SYN ******S*

I checked what processes are running on my machine, and there is nothing
that I think might be suspicious.
(I run bind9 on my internal interface, which has been configured to have no
access to the outside world)

  PID TTY      STAT   TIME COMMAND
    1 ?        S      0:04 init [2]
    2 ?        SW     0:02 [keventd]
    3 ?        SWN    0:00 [ksoftirqd_CPU0]
    4 ?        SW     0:00 [kswapd]
    5 ?        SW     0:00 [bdflush]
    6 ?        SW     0:00 [kupdated]
    7 ?        SW     0:00 [i2oevtd]
    9 ?        SW     0:00 [kjournald]
   73 ?        SW     0:00 [kjournald]
   74 ?        SW     0:00 [kjournald]
   75 ?        SW     0:00 [kjournald]
  102 ?        SW     0:00 [eth0]
  112 ?        S      0:00 /sbin/dhclient-2.2.x -q eth0
  187 ?        S      0:00 /sbin/syslogd
  193 ?        S      0:01 /sbin/klogd
  199 ?        S      0:00 /usr/sbin/named
  202 ?        S      0:00 /usr/sbin/named
  207 ?        S      0:03 /usr/sbin/named
  208 ?        S      0:00 /usr/sbin/named
  209 ?        S      0:00 /usr/sbin/named
  316 ?        S      0:00 /usr/sbin/sshd
  319 ?        S      0:00 /usr/sbin/cron
  322 tty1     S      0:00 -bash
  323 tty2     S      0:00 -bash
  324 tty3     S      0:00 -bash
  325 tty4     S      0:00 /sbin/getty 38400 tty4
  326 tty5     S      0:00 /sbin/getty 38400 tty5
  327 tty6     S      0:00 /sbin/getty 38400 tty6
  328 tty8     S      0:00 /sbin/getty 38400 tty8
  330 tty1     S      0:00 bash
  347 tty2     S      0:00 bash
  368 tty1     S      0:02 snort
  369 tty3     S      0:00 bash
  391 tty2     R      0:00 ps ax

also netstat and nmap showed no open connections other than my sshd, which
has been patched with the latest patch (english version).

Do I have a trojan on my computer?  Could someone point me in the right
direction on how I can stop this unauthorized traffic?

thanx in advance.

Reply to:

Follow-Ups:
- Re: question from a newbie regarding possible trojan
  - From: Claudio Martins <ctpm@mega.ist.utl.pt>
- Re: question from a newbie regarding possible trojan
  - From: David Goldsmith <dgoldsmith@sans.org>

References:
- bugtraq.c httpd apache ssl attack
  - From: Phillip Hofmeister <plhofmei@zionlth.org>

Prev by Date: Re: [Fwd: freeswan & zlib security]
Next by Date: RE: question from a newbie regarding possible trojan
Previous by thread: Re: bugtraq.c httpd apache ssl attack
Next by thread: Re: question from a newbie regarding possible trojan
Index(es):
- Date
- Thread