[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question from a newbie regarding possible trojan

On Tuesday 17 September 2002 08:36, Adrian Gheorghe wrote:
> I have tracked a weird activity on my external interface lately (few days)
> I used "snort", and the portscan.log file shows the following activity:
> #tail portscan.log
> [...]
> also netstat and nmap showed no open connections other than my sshd, which
> has been patched with the latest patch (english version).
> Do I have a trojan on my computer?  Could someone point me in the right
> direction on how I can stop this unauthorized traffic?
> thanx in advance.


  You can check the date and size of some files like /bin/ps /bin/netstat to 
see if they have timestamps consistent with the other files on the same 
directories and check that their size is not too small or too big. A normal 
ps should have around 60kB and netstat around 86kB. If you see big 
differences, suspect that your machine has been compromised and some kind of 
rootkit may have been installed. 

  For example, sometimes you can check if ps and netstat are compromised by 
doing a strace to these commands and checking for odd things, like hiding 
certain process names or network connections. I've detected a network sniffer 
this way, by stracing a /bin/ps that had been replaced by a rootkit version 
that didn't display certain process names. It was quite easy to see the 
program checking the process names and not displaying certain ones.

  You could also copy a good ps command from another similar machine (one that 
you are sure it is *not* compromised) to your root directory and see if 
running that one shows strange processes. 

 Hope this helps.

Best regards


Reply to: