question from a newbie regarding possible trojan
I have tracked a weird activity on my external interface lately (few days)
I used "snort", and the portscan.log file shows the following activity:
#tail portscan.log
Sep 17 00:21:41 <my ip>:1489 -> 207.46.197.113:80 SYN ******S*
Sep 17 00:21:42 <my ip>:1501 -> 207.46.197.113:80 SYN ******S*
Sep 17 00:21:58 <my ip>:1502 -> 207.46.196.102:80 SYN ******S*
Sep 17 00:21:58 <my ip>:1503 -> 207.46.196.102:80 SYN ******S*
Sep 17 00:21:58 <my ip>:1504 -> 207.68.184.62:80 SYN ******S*
Sep 17 00:22:22 <my ip>:1505 -> 207.46.235.162:80 SYN ******S*
Sep 17 00:24:21 <my ip>:1507 -> 24.71.223.43:110 SYN ******S*
Sep 17 00:24:24 <my ip>:1511 -> 142.58.120.21:110 SYN ******S*
Sep 17 00:25:49 <my ip>:1514 -> 207.46.235.150:80 SYN ******S*
Sep 17 00:25:55 <my ip>:1516 -> 209.11.107.14:80 SYN ******S*
I checked what processes are running on my machine, and there is nothing
that I think might be suspicious.
(I run bind9 on my internal interface, which has been configured to have no
access to the outside world)
PID TTY STAT TIME COMMAND
1 ? S 0:04 init [2]
2 ? SW 0:02 [keventd]
3 ? SWN 0:00 [ksoftirqd_CPU0]
4 ? SW 0:00 [kswapd]
5 ? SW 0:00 [bdflush]
6 ? SW 0:00 [kupdated]
7 ? SW 0:00 [i2oevtd]
9 ? SW 0:00 [kjournald]
73 ? SW 0:00 [kjournald]
74 ? SW 0:00 [kjournald]
75 ? SW 0:00 [kjournald]
102 ? SW 0:00 [eth0]
112 ? S 0:00 /sbin/dhclient-2.2.x -q eth0
187 ? S 0:00 /sbin/syslogd
193 ? S 0:01 /sbin/klogd
199 ? S 0:00 /usr/sbin/named
202 ? S 0:00 /usr/sbin/named
207 ? S 0:03 /usr/sbin/named
208 ? S 0:00 /usr/sbin/named
209 ? S 0:00 /usr/sbin/named
316 ? S 0:00 /usr/sbin/sshd
319 ? S 0:00 /usr/sbin/cron
322 tty1 S 0:00 -bash
323 tty2 S 0:00 -bash
324 tty3 S 0:00 -bash
325 tty4 S 0:00 /sbin/getty 38400 tty4
326 tty5 S 0:00 /sbin/getty 38400 tty5
327 tty6 S 0:00 /sbin/getty 38400 tty6
328 tty8 S 0:00 /sbin/getty 38400 tty8
330 tty1 S 0:00 bash
347 tty2 S 0:00 bash
368 tty1 S 0:02 snort
369 tty3 S 0:00 bash
391 tty2 R 0:00 ps ax
also netstat and nmap showed no open connections other than my sshd, which
has been patched with the latest patch (english version).
Do I have a trojan on my computer? Could someone point me in the right
direction on how I can stop this unauthorized traffic?
thanx in advance.
Reply to: