Re: question from a newbie regarding possible trojan
On Tuesday 17 September 2002 08:36, Adrian Gheorghe wrote:
> I have tracked a weird activity on my external interface lately (few days)
> I used "snort", and the portscan.log file shows the following activity:
> #tail portscan.log
> also netstat and nmap showed no open connections other than my sshd, which
> has been patched with the latest patch (english version).
> Do I have a trojan on my computer? Could someone point me in the right
> direction on how I can stop this unauthorized traffic?
> thanx in advance.
You can check the date and size of some files like /bin/ps /bin/netstat to
see if they have timestamps consistent with the other files on the same
directories and check that their size is not too small or too big. A normal
ps should have around 60kB and netstat around 86kB. If you see big
differences, suspect that your machine has been compromised and some kind of
rootkit may have been installed.
For example, sometimes you can check if ps and netstat are compromised by
doing a strace to these commands and checking for odd things, like hiding
certain process names or network connections. I've detected a network sniffer
this way, by stracing a /bin/ps that had been replaced by a rootkit version
that didn't display certain process names. It was quite easy to see the
program checking the process names and not displaying certain ones.
You could also copy a good ps command from another similar machine (one that
you are sure it is *not* compromised) to your root directory and see if
running that one shows strange processes.
Hope this helps.